Marauder Virus
Virus Name: Marauder
Aliases:
V Status: Rare
Discovered: January, 1992
Symptoms: .COM file growth; files overwritten
Origin: Canada
Eff Length: 860 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot, AVTK, Sweep, ChAV,
IBMAV, NAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, LProt, Innoc, NProt, IBMAV/N,
AVTK/N, NAV/N
Removal Instructions: Delete infected files
General Comments:
The Marauder virus was received in January, 1992. It is originally
from Canada. Marauder is a non-resident, direct action infector of
.COM programs, including COMMAND.COM. It is destructive when it
activates of February 2nd of any year.
When a program infected with Marauder is executed, the Marauder
virus will search the current directory for an uninfected .COM
program to infect. If the Marauder virus doesn't find a file to
infect in the current directory, it will move up one level in the
current directory structure and check for an uninfected .COM file.
If it still hasn't found an uninfected .COM file, it will continue
searching upward in the directory structure. If the root directory
is reached, it will then search down through the directory
structure for a candidate .COM file to infect. Once a candidate
.COM file is found, the virus will infect it and the original
program the user was attempting to execute will execute.
Marauder infected files will have a file length increase of 860
bytes with the virus being located at the end of the infected
file. There will be no change to the file's date and time in a
DOS disk directory listing.
Marauder is an encrypted virus and no text strings are visible
within the viral code in infected programs.
On February 2nd of any year, the Marauder virus will activate.
When an infected program is executed on this date, the Marauder
virus will overwrite all files in the current directory with the
following text string repeated over and over again:
"= [Marauder] 1992 Hellraiser - Phalcon/Skism."
The overwritten files will have their file date and time updated
to the current system date and time in the DOS disk directory
listing.
Known variant(s) of Marauder are:
DeadPool: Received in July, 1992, DeadPool is a 560 byte
variant of the Marauder virus. It infects one .COM
file each time an infected program is executed. If
an uninfected .COM file does not exist in the current
directory, it will search one directory above the
current directory. If an uninfected program is still
not found, it will jump to the current drive's root
directory. Programs infected with DeadPool will
have a file length increase of 560 bytes with the
virus being located at the end of the file. There will
be no change to the file's date and time in the DOS disk
directory listing. The following text strings are
encrypted within the DeadPool viral code:
"Deadpool by Phalcon/Skism"
"????????COM"
"COMMAND.COM"
DeadPool activates after the 808th generation of viral
infection, at which time the word "Deadpool" will be
typed on the system display.
Origin: USA July, 1992.
Marauder.855: Received in July, 1995, this is an 855 byte
variant of the Marauder virus described above. It adds
855 bytes to the .COM files it infects, and contains the
following unencrypted text string:
"[Marauder] 1992 Hellraiser - Phalcon/Skism"
The following text string is encrypted within the viral
code:
"*.COM *.* .."
Origin: Unknown July, 1995.
See: Marl