Mephisto Virus
Virus Name: Mephisto
Aliases: Mephisto.510
V Status: New
Discovered: January, 1996
Symptoms: .COM file growth; file date/time seconds = "14";
message displayed;
decrease in total system & available free memory
Origin: Unknown
Eff Length: 510 Bytes
Type Code: PRtC - Parasitic Resident .COM Infector
Detection Method: IBMAV, NAV, NAVDX, AVTK, ViruScan, F-Prot, ChAV,
IBMAV/N, NAV/N, AVTK/N, NShld, Innoc
Removal Instructions: Delete infected files
General Comments:
The Mephisto or Mephisto.510 virus was received in January, 1996.
Its origin or point of isolation is unknown. Mephisto is a memory
resident infector of .COM files, but not COMMAND.COM.
When the first Mephisto infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, moving interrupt 12's return. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 1,024 bytes. Interrupt 21 will be
hooked by the virus in memory.
Once the Mephisto virus is memory resident, it will infect .COM
programs, other than COMMAND.COM, when they are executed or opened,
but not when copied. Infected files will have a file length increase
of 510 bytes with the virus being located at the end of the file.
This virus will also reinfect previously infected files, adding an
additional 510 bytes to the file for each infection. The file's date
and time in the DOS disk directory listing will not appear to be
altered, though the seconds field will have been set to "14". The
following text string is visible within the viral code:
"Resident Function will be carried out !!!"
This text string will be displayed as a message when a .COM program
is executed or opened.
Known variant(s) of Mephisto are:
Mephisto.615: Also received in January, 1996, this is a 615 byte
variant of the Mephisto virus described above. Its size in
memory is also 1,024 bytes, hooking interrupt 21. This variant
infects .COM files, including COMMAND.COM, when they are executed
or opened, adding 615 bytes to the file's length. This file
length increase will be hidden when the virus is memory resident.
The virus will be located at the end of the file. The program's
date and time in the DOS disk directory listing will not appear
to be altered, though the seconds field will have been set to
"14". The following text string is encrypted within the viral
code:
"Resident Function will be carried out !!!"
This text string is displayed as a message by the virus when
the virus is memory resident and .COM files are executed or
opened. This variant does not reinfect previously infected
files.
Origin: Unknown January, 1996.
Mephisto.815: Also received in January, 1996, this is an 815 byte
non-resident variant of the Mephisto virus. It infects one .EXE
file in the current directory when an infected program is
executed. Infected files will have a file length increase of
815 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not appear to be altered. The following text strings are
encrypted within the viral code:
"*.exe"
"When you read this Text, your Computer has to be alreadyDEAD.
My Name is NUMBER FOUR but you will never seeme again..."
This variant does not reinfect previously infected files.
Origin: Unknown January, 1996.
Mephisto.914: Also received in January, 1996, this is an 914 byte
non-resident variant of the Mephisto virus. It infects one .COM
file in the current directory when an infected program is
executed. Infected files will have a file length increase of
914 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not appear to be altered. The following text strings are
encrypted within the viral code:
"*.com"
"When you read this Text, your Computer has to be already
DEAD. My Name is NUMBER THREE but you will never see
me again..."
This variant does not reinfect previously infected files.
Origin: Unknown January, 1996.
Mephisto.928: Also received in January, 1996, this is an 928 byte
non-resident variant of the Mephisto virus. It infects one .COM
file in the current directory when an infected program is
executed. Infected files will have a file length increase of
928 bytes with the virus being located at the end of the file.
The program's date and time in the DOS disk directory listing
will not appear to be altered. The following text strings are
encrypted within the viral code:
"*.com"
"When you read this Text, your Computer has to be already
DEAD. My Name is NUMBER THREE but you will never see
me again..."
This variant does not reinfect previously infected files.
Origin: Unknown January, 1996.
Mephisto.1242: Also received in January, 1996, this is a 1,242
byte variant of the Mephisto virus described above. Its size in
memory is 2,048 bytes, hooking interrupts 1C and 21. This variant
infects .COM files, including COMMAND.COM, when they are executed
or opened, adding 1,242 bytes to the file's length. This file
length increase will be hidden when the virus is memory resident.
The virus will be located at the end of the file. The program's
date and time in the DOS disk directory listing will not appear
to be altered, though the seconds field will have been set to
"14". The following text strings are encrypted within the viral
code:
"ALL GOOD THINGS MUST COME TO AN END
This virus is dedicated to the well known series
STAR TRECK NEXT GENERATION
that reached the end about three months ago... [NUMBER FIVE]"
"(›) Mephisto"
This variant does not reinfect previously infected files.
Origin: Unknown January, 1996.