M.I.R. Virus


 Virus Name:  M.I.R. 
 Aliases:     MIR 
 V Status:    Rare 
 Discovered:  May, 1991 
 Symptoms:    .COM & .EXE growth; BSC; .SYS file corruption; decrease in 
              total system & available memory; boot failures; garbling of 
              system date/time display 
 Origin:      Europe 
 Eff Length:  1,745 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, ChAV, 
                    NAV, IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files, & DOS SYS command 
 
 General Comments: 
       The M.I.R. virus was submitted in May 1991 by the PCVRF.  It is 
       originally from Europe.  This virus is a memory resident infector 
       of .COM and .EXE programs, including COMMAND.COM.  It also modifies 
       diskette boot sectors and .SYS files, though the virus cannot 
       replicate from these areas. 
 
       The first time a program infected with M.I.R. is executed, the 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  Interrupts 21 and 27 will 
       be hooked by the virus.  Total system and available free memory, as 
       indicated by the DOS CHKDSK program, will be 3,584 bytes less than 
       is expected.  At this time, the boot sector of diskettes will be 
       modified, though the modification does not result in an infectious 
       copy of the virus. 
 
       Once M.I.R. is memory resident, it will infect .COM and .EXE files 
       which are at least 2K in length when they are executed.  Infected 
       .COM programs will have a length increase of 1,745 bytes, while 
       .EXE programs will increase in size by 1,745 to 1,759 bytes.  In 
       both cases, the virus will be located at the end of the infected 
       file. M. I. R. does not hide the file length increase, nor does it 
       alter the program's date and time in the DOS disk directory. 
 
       One text string can be found in infected programs, located near the 
       beginning of the viral code: 
 
               "#.I.R. *-*-*-* Sign of the time!" 
 
       As an M.I.R. infection progresses, the system file MSDOS.SYS may 
       become infected by the virus.  This file does not contain an 
       infectious copy of the virus, but is damaged.  Attempts to boot 
       from disks with a M.I.R. modified boot sector and MSDOS.SYS, as 
       well as an infected COMMAND.COM will result in a garbled system 
       date and time, followed by the system hanging. 
 
       It is unknown if M.I.R. does anything besides replicate. 
 
       See:   Dark Avenger

Show viruses from discovered during that infect .

Main Page