Matura Virus

Virus Name: Matura Aliases: V Status: Rare Discovered: December, 1992 Symptoms: .COM file growth; unexpected accesses to C: drive Origin: Unknown Eff Length: 549 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: Sweep, AVTK, F-Prot, ViruScan, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Matura virus was submitted in December, 1992. Its origin or point of isolation is unknown. Matura is a non-resident, direct action infector of .COM programs, including COMMAND.COM. When a program infected with the Matura virus is executed, the Matura virus will infect one .COM program on the current drive, and one program on the C: drive. Infected programs will have a file length increase of 549 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string can be found in all Matura infected programs: "c:*.com" It is unknown what Matura does when it activates, but it does contain some destructive code. Known variant(s) of Matura are: Matura 92: Based on the Matura virus described above, this is a memory resident variant. It becomes memory resident at the top of system memory but below the 640K DOS boundary, taking up 1,776 bytes, and hooking interrupt 21. Once resident, it infects .COM and .EXE programs, including COMMAND.COM, when they are executed or opened. With the exception of COMMAND.COM, infected programs increase in size by 1,626 to 1,641 bytes with the virus being located at the end of the file. In the case of COMMAND.COM, there is no increase in file length as the virus overwrites a portion of the hex "00" slack area. No change in the DOS disk directory file date and time occurs on infected files. The following text strings are visible within the viral code in all infected programs: "exeEXEcomCOMcommandCOMMAND" "MATURA92" Origin: Unknown September, 1993.