Moctezumas Revenge Virus


 Virus Name:  Moctezumas Revenge 
 Aliases:     Ciudado, Moctezumas, Moctezuma 
 V Status:    Rare 
 Discovered:  December, 1991 
 Symptoms:    .COM & .EXE growth; TSR; file allocation errors; boot failure 
 Origin:      Unknown 
 Eff Length:  2,208 - 2,228 Bytes 
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, IBMAV, NAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    Sweep/N, LProt, NShld, Innoc, NProt, AVTK/N, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Moctezumas Revenge virus was submitted in December, 1991.  Its 
       origin or point of original isolation is unknown.  Moctezumas 
       Revenge is a memory resident infector of .COM and .EXE files, 
       including COMMAND.COM.  It will also occassionally infect the 
       hidden DOS system .SYS files.  This virus is based on the 
       Jerusalem virus. 
 
       The first time a program infected with Moctezumas Revenge is 
       executed, the virus will install itself memory resident as a low 
       system memory TSR of 2,336 bytes.  It will hook interrupts 13 and 
       21. 
 
       Once Moctezumas Revenge is memory resident, it will infect .COM 
       and .EXE programs, including COMMAND.COM, when they are executed. 
       It will also occassionally infect the hidden DOS system .SYS files 
       as well. 
 
       Moctezumas Revenge infected programs, with the exception of 
       COMMAND.COM, will have a file length increase of 2,208 to 2,228 
       bytes with the virus being located at the beginning of the 
       infected file.  In the case of COMMAND.COM and the hidden .SYS 
       files, there will be no file length increase.  The file's date 
       and time will not be altered in the DOS disk directory listing. 
       Infected files can be identified by the two characters "92" 
       appearing in bytes 8 and 9 of infected files.  The Moctezumas 
       Revenge virus is encrypted, though the following text string 
       will occassionally be visible in infected files: 
 
               "Moctezuma's Revenge92" 
 
       Symptoms of a Moctezumas Revenge infection include file 
       allocation errors for COMMAND.COM and possibly the hidden DOS 
       system .SYS files.  A file allocation error may occur on some 
       other file as well, due to the virus writing out a copy of itself 
       to another cluster without checking to see if it was previously 
       in use.  Systems with an infected COMMAND.COM will fail to boot 
       from the infected COMMAND.COM. 
 
       It is unknown what Moctezumas Revenge does besides replicate.      
 
       Known variant(s) of Moctezumas Revenge are: 
       Moctezumas Revenge 2: A later version of the original 
                Moctezumas Revenge virus, this variant has had been 
                changed so that boot failures and file allocation errors 
                no longer occur.  COMMAND.COM and the hidden system files 
                will no longer be infected by the virus.  Moctezumas 
                Revenge 2 adds 2,228 bytes to .COM programs, locating its 
                viral code at the beginning of the file.  On .EXE programs, 
                it adds 2,208 to 2,222 bytes locating the virus at the 
                end of the file.  The text string which will appear when 
                an unencrypted copy of the viral infects a file contains 
                the following text string: "Moctezuma's Revenge62".  The 
                infection identifier has been changed from 92 to 62, though 
                in .EXE programs it is no longer located near the beginning 
                of the infected file since the virus is now at the end of 
                the file. 
                Origin:  Unknown  March, 1992. 
 
       See:   Jerusalem   Poison

Show viruses from discovered during that infect .

Main Page