Magnitogorsk 2048 Virus
Virus Name: Magnitogorsk 2048
V Status: Rare
Discovered: May, 1991
Symptoms: .COM & .EXE growth; decrease in total system and available
Eff Length: 2,048 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, NAV, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N
Removal Instructions: Delete infected files
The Magnitogorsk 2048 virus was submitted from Europe in May,
1991. It is originally from the USSR. Magnitogorsk 2048 is
a later version of the 2560 virus, and some anti-viral utilities
will detect it as 2560.
The first time a program infected with Magnitogorsk 2048 is
executed, the virus will install itself memory resident at the
top of system memory but below the 640K DOS boundary. Total system
and available free memory, as measured by the DOS CHKDSK program,
will decrease by 4,160 bytes. Interrupts 08, 13, 21, and 22 will
be hooked by the virus.
After Magnitogorsk 2048 is memory resident, it will infect .COM
and .EXE programs larger than approximately 2K when they are
opened or executed. Infected programs will increase in size by
2,048 bytes with the virus being located at the end of the infected
program. The program's date and time in the disk directory will
not be altered.
Magnitogorsk 2048 will also infect COMMAND.COM when it is opened
or executed. In the case of COMMAND.COM, the infected program will
not have any file length increase as the virus will overwrite a
portion of COMMAND.COM's stack space.
Magnitogorsk 2048 is a stealth virus, as is 2560. While these
viruses do not hide their file length increase, they do actively
use techniques to avoid detection by anti-viral utilities not
aware of them.
It is unknown if Magnitogorsk 2048 does anything besides replicate.