Monxla Virus


 Virus Name:  Monxla 
 Aliases:     Time Virus 
 V Status:    Rare 
 Discovered:  November, 1990 
 Symptoms:    .COM growth; system hangs and/or reboots; program execution 
              failures 
 Origin:      Hungary 
 Eff Length:  939 Bytes 
 Type Code:   PRfCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, ChAV, 
                    NAV, IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Monxla, or Time, virus was discovered in November, 1990 in 
       Hungary. This virus is a memory resident direct action infector of 
       .COM files, including COMMAND.COM. 
 
       When a program infected with the Monxla virus is executed, the 
       virus will check the current system time.  If the system time's 
       current seconds is greater than 32/100's of a second, the virus 
       will install a very small portion of itself memory resident at the 
       top of free memory but below the 640K DOS boundary.  The virus 
       allocates 80 bytes, and will hook interrupts 20 and F2.  The F2 
       interrupt is later used to determine if the virus is in memory, 
       thus avoiding multiple memory allocations.  The memory resident 
       portion of the virus is not used to infect files. 
 
       Each time a program infected with the Monxla virus is executed, the 
       virus will search for one uninfected .COM file with a length 
       between 3,840 and 64,000 bytes to infect.  The current directory is 
       searched first, and then the directories along the system path. 
       Once an uninfected .COM file is found that satisfies the length 
       requirement, the virus will infect it.  On other than the 13th day 
       of any month, the virus will add its viral code to the end of the 
       candidate file, increasing the file's length by 939 bytes. 
 
       On the 13th day of any month, the virus activates.  The activation 
       involves damaging the files that it infects based on the current 
       seconds in the system time.  At the time the virus attempts to 
       infect another .COM file, the virus will damage the file in one of 
       three ways.  If the current seconds was greater than 60/100's, 4 
       HLTs followed by a random interrupt will be placed at the beginning 
       of the file being infected.  Later when the program is executed, it 
       may perform rather strangely or be destructive.  It depends on what 
       the random interrupt was.  If the current seconds was greater than 
       30/100's, but less than 60/100's, two INT 19 calls are placed at 
       the beginning of the file. Later when the program is executed, it 
       will attempt to perform a warm reboot preserving the current 
       interrupt vectors.  This, however, will result in a system hang if 
       any interrupt between 00h and 1Ch was previously hooked.  If the 
       current seconds was greater than 00/100's but less than 30/100's, 
       an INT 20 call is placed at the beginning of the program being 
       infected, thus resulting in it immediately terminating when later 
       executed. 
 
       See:   Monxla B   Vienna

Show viruses from discovered during that infect .

Main Page