Mephisto Virus


 Virus Name:  Mephisto 
 Aliases:     Mephisto.510 
 V Status:    New 
 Discovered:  January, 1996 
 Symptoms:    .COM file growth; file date/time seconds = "14"; 
              message displayed; 
              decrease in total system & available free memory 
 Origin:      Unknown 
 Eff Length:  510 Bytes 
 Type Code:   PRtC - Parasitic Resident .COM Infector 
 Detection Method:  IBMAV, NAV, NAVDX, AVTK, ViruScan, F-Prot, ChAV, 
                    IBMAV/N, NAV/N, AVTK/N, NShld, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Mephisto or Mephisto.510 virus was received in January, 1996. 
       Its origin or point of isolation is unknown.  Mephisto is a memory 
       resident infector of .COM files, but not COMMAND.COM. 
 
       When the first Mephisto infected program is executed, this virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, moving interrupt 12's return.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will have decreased by 1,024 bytes.  Interrupt 21 will be 
       hooked by the virus in memory. 
 
       Once the Mephisto virus is memory resident, it will infect .COM 
       programs, other than COMMAND.COM, when they are executed or opened, 
       but not when copied.  Infected files will have a file length increase 
       of 510 bytes with the virus being located at the end of the file. 
       This virus will also reinfect previously infected files, adding an 
       additional 510 bytes to the file for each infection.  The file's date 
       and time in the DOS disk directory listing will not appear to be 
       altered, though the seconds field will have been set to "14".  The 
       following text string is visible within the viral code: 
 
           "Resident Function will be carried out !!!" 
 
       This text string will be displayed as a message when a .COM program 
       is executed or opened. 
 
       Known variant(s) of Mephisto are: 
       Mephisto.615: Also received in January, 1996, this is a 615 byte 
           variant of the Mephisto virus described above.  Its size in 
           memory is also 1,024 bytes, hooking interrupt 21.  This variant 
           infects .COM files, including COMMAND.COM, when they are executed 
           or opened, adding 615 bytes to the file's length.  This file 
           length increase will be hidden when the virus is memory resident. 
           The virus will be located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not appear 
           to be altered, though the seconds field will have been set to 
           "14".  The following text string is encrypted within the viral 
           code: 
           "Resident Function will be carried out !!!" 
           This text string is displayed as a message by the virus when 
           the virus is memory resident and .COM files are executed or 
           opened.  This variant does not reinfect previously infected 
           files. 
           Origin:  Unknown  January, 1996. 
       Mephisto.815: Also received in January, 1996, this is an 815 byte 
           non-resident variant of the Mephisto virus.  It infects one .EXE 
           file in the current directory when an infected program is 
           executed.  Infected files will have a file length increase of 
           815 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered.  The following text strings are 
           encrypted within the viral code: 
           "*.exe" 
           "When you read this Text, your Computer has to be alreadyDEAD. 
            My Name is NUMBER FOUR but you will never seeme again..." 
           This variant does not reinfect previously infected files. 
           Origin:  Unknown  January, 1996. 
       Mephisto.914: Also received in January, 1996, this is an 914 byte 
           non-resident variant of the Mephisto virus.  It infects one .COM 
           file in the current directory when an infected program is 
           executed.  Infected files will have a file length increase of 
           914 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered.  The following text strings are 
           encrypted within the viral code: 
           "*.com" 
           "When you read this Text, your Computer has to be already 
            DEAD. My Name is NUMBER THREE but you will never see 
            me again..." 
           This variant does not reinfect previously infected files. 
           Origin:  Unknown  January, 1996. 
       Mephisto.928: Also received in January, 1996, this is an 928 byte 
           non-resident variant of the Mephisto virus.  It infects one .COM 
           file in the current directory when an infected program is 
           executed.  Infected files will have a file length increase of 
           928 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered.  The following text strings are 
           encrypted within the viral code: 
           "*.com" 
           "When you read this Text, your Computer has to be already 
            DEAD. My Name is NUMBER THREE but you will never see 
            me again..." 
           This variant does not reinfect previously infected files. 
           Origin:  Unknown  January, 1996. 
       Mephisto.1242: Also received in January, 1996, this is a 1,242 
           byte variant of the Mephisto virus described above.  Its size in 
           memory is 2,048 bytes, hooking interrupts 1C and 21.  This variant 
           infects .COM files, including COMMAND.COM, when they are executed 
           or opened, adding 1,242 bytes to the file's length.  This file 
           length increase will be hidden when the virus is memory resident. 
           The virus will be located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not appear 
           to be altered, though the seconds field will have been set to 
           "14".  The following text strings are encrypted within the viral 
           code: 
           "ALL GOOD THINGS MUST COME TO AN END 
            This virus is dedicated to the well known series 
            STAR TRECK NEXT GENERATION 
            that reached the end about three months ago... [NUMBER FIVE]" 
           "() Mephisto" 
           This variant does not reinfect previously infected files. 
           Origin:  Unknown  January, 1996. 

Show viruses from discovered during that infect .

Main Page