Virus Name: Matura
V Status: Rare
Discovered: December, 1992
Symptoms: .COM file growth; unexpected accesses to C: drive
Eff Length: 549 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: Sweep, AVTK, F-Prot, ViruScan, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N
Removal Instructions: Delete infected files
The Matura virus was submitted in December, 1992. Its origin or
point of isolation is unknown. Matura is a non-resident, direct
action infector of .COM programs, including COMMAND.COM.
When a program infected with the Matura virus is executed, the
Matura virus will infect one .COM program on the current drive,
and one program on the C: drive. Infected programs will have a
file length increase of 549 bytes with the virus being located at
the end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text string
can be found in all Matura infected programs:
It is unknown what Matura does when it activates, but it does
contain some destructive code.
Known variant(s) of Matura are:
Matura 92: Based on the Matura virus described above, this
is a memory resident variant. It becomes memory resident
at the top of system memory but below the 640K DOS
boundary, taking up 1,776 bytes, and hooking interrupt
21. Once resident, it infects .COM and .EXE programs,
including COMMAND.COM, when they are executed or opened.
With the exception of COMMAND.COM, infected programs
increase in size by 1,626 to 1,641 bytes with the virus
being located at the end of the file. In the case of
COMMAND.COM, there is no increase in file length as the
virus overwrites a portion of the hex "00" slack area.
No change in the DOS disk directory file date and time
occurs on infected files. The following text strings
are visible within the viral code in all infected programs:
Origin: Unknown September, 1993.