Mutagen Virus

Virus Name: Mutagen Aliases: Mutagen.Garden, Garden V Status: Viron Discovered: August, 1994 Symptoms: .COM & .EXE files overwritten; program corruption; file date/time changes Origin: Unknown Eff Length: 1,737 - 1,765 Bytes (Approximate) Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: Sweep, NAV, NAVDX, VAlert, AVTK, ChAV, IBMAV, PCScan, ViruScan, Sweep/N, NAV/N, NShld, IBMAV/N, AVTK/N 7.60+, LProt, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Mutagen, Mutagen.Garden or Garden, virus was received in August, 1994. Its origin or point of isolation is unknown. Mutagen is a non-resident, direct action overwriting virus which infects .COM and .EXE files, including COMMAND.COM. It is a polymorphic, encrypted virus. When a program infected with the Mutagen virus is executed, this virus will infect the first three .COM files located in the current directory, as well as the copy of COMMAND.COM located in the C: drive root directory, and up to all of the files located in the higher directories above the current directory in the directory structure. If the first three .COM files in the current directory were previously infected, and there are no additional .COM files in the directory, the virus will proceed to infect up to two .EXE files in the directory. The virus may then display one of the following messages, and return the user to the DOS prompt: "Not enough memory." "I need 4K more to start myself!" Programs infected with the Mutagen virus will have a file length increase of approximately 1,737 to 1,765 bytes. The virus will be at the beginning of the file as this virus overwrites the beginning of the host file. The file's date and time in the DOS disk directory listing will have been updated to the current system date and time. The following text strings are encrypted within the Mutagen viral code: "*.com *.exe .. c:\command.com c:\garden.com" "[Garden] This is Garden V1.0.Very simple virus.New version will be better!!!" "Not enough memory." "I need 4K more to start myself!" "FUCK PEARL JAM!!!!LONG LIVE TECHNO!!!!" "[Mutagen 1.00] MnemoniX" Mutagen permanently corrupts the programs it infects, so all infected programs must be replaced with uninfected backup copies. Known variant(s) of Mutagen are: Mutagen.Agent I: Received in January, 1995, Mutagen.Agent I is a non-resident, direct action parasitic virus. It infects one .COM program in the current directory each time an infected program is executed. Programs infected with Mutagen.Agent I will have a file length increase of approximately 2,267 to 2,307 bytes. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string can be found starting in the fourth byte of all infected files: "GM" The following additional text strings are encrypted within the Mutagen.Agent I viral code: "[MutaGenic Agent I]" "[MutaGen 2.0] MnemoniX" Origin: Unknown January, 1995. Mutagen.Agent III: Received in January, 1995, Mutagen.Agent III is a memory resident infector of .COM and .EXE files, including COMMAND.COM. Its size in memory is 6,348 bytes, hooking interrupt 21. Once memory resident, it infects programs when they are executed. Infected files will have a file length increase of 3,368 bytes with the virus being located at the end of the file. The file length increase, as well as the presence of the viral code in the file, will be hidden when the virus is memory resident. The file's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "MutaGenic Agent [I]" "MutaGen 2.0] MnemoniX" The DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident. Origin: Unknown January, 1995.