Marauder Virus

 Virus Name:  Marauder 
 V Status:    Rare 
 Discovered:  January, 1992 
 Symptoms:    .COM file growth; files overwritten 
 Origin:      Canada 
 Eff Length:  860 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, Sweep, ChAV, 
                    IBMAV, NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N, 
                    AVTK/N, NAV/N 
 Removal Instructions:  Delete infected files 
 General Comments: 
       The Marauder virus was received in January, 1992.  It is originally 
       from Canada.  Marauder is a non-resident, direct action infector of 
       .COM programs, including COMMAND.COM.  It is destructive when it 
       activates of February 2nd of any year. 
       When a program infected with Marauder is executed, the Marauder 
       virus will search the current directory for an uninfected .COM 
       program to infect.  If the Marauder virus doesn't find a file to 
       infect in the current directory, it will move up one level in the 
       current directory structure and check for an uninfected .COM file. 
       If it still hasn't found an uninfected .COM file, it will continue 
       searching upward in the directory structure.  If the root directory 
       is reached, it will then search down through the directory 
       structure for a candidate .COM file to infect.  Once a candidate 
       .COM file is found, the virus will infect it and the original 
       program the user was attempting to execute will execute. 
       Marauder infected files will have a file length increase of 860 
       bytes with the virus being located at the end of the infected 
       file.  There will be no change to the file's date and time in a 
       DOS disk directory listing. 
       Marauder is an encrypted virus and no text strings are visible 
       within the viral code in infected programs.        
       On February 2nd of any year, the Marauder virus will activate. 
       When an infected program is executed on this date, the Marauder 
       virus will overwrite all files in the current directory with the 
       following text string repeated over and over again: 
               "=  [Marauder] 1992 Hellraiser - Phalcon/Skism." 
       The overwritten files will have their file date and time updated 
       to the current system date and time in the DOS disk directory 
       Known variant(s) of Marauder are: 
       DeadPool: Received in July, 1992, DeadPool is a 560 byte 
                 variant of the Marauder virus.  It infects one .COM 
                 file each time an infected program is executed.  If 
                 an uninfected .COM file does not exist in the current 
                 directory, it will search one directory above the 
                 current directory.  If an uninfected program is still 
                 not found, it will jump to the current drive's root 
                 directory.  Programs infected with DeadPool will 
                 have a file length increase of 560 bytes with the 
                 virus being located at the end of the file.  There will 
                 be no change to the file's date and time in the DOS disk 
                 directory listing.  The following text strings are 
                 encrypted within the DeadPool viral code: 
                 "Deadpool by Phalcon/Skism" 
                 DeadPool activates after the 808th generation of viral 
                 infection, at which time the word "Deadpool" will be 
                 typed on the system display. 
                 Origin:  USA  July, 1992. 
       Marauder.855: Received in July, 1995, this is an 855 byte 
                 variant of the Marauder virus described above.  It adds 
                 855 bytes to the .COM files it infects, and contains the 
                 following unencrypted text string: 
                 "[Marauder] 1992 Hellraiser - Phalcon/Skism" 
                 The following text string is encrypted within the viral 
                 "*.COM *.* .." 
                 Origin:  Unknown  July, 1995. 
       See:   Marl 

Show viruses from discovered during that infect .

Main Page