Morgot Virus
Virus Name: Morgot
Aliases: Morgot.823
V Status: New
Discovered: January, 1996
Symptoms: .EXE file growth; file date/time changes;
TSR; decrease in available free memory
Origin: Unknown
Eff Length: 823 - 837 Bytes
Type Code: PRsE - Parasitic Resident .EXE Infector
Detection Method: ChAV, AVTK, IBMAV, NAV, NAVDX, ViruScan 2.54+,
Innoc, AVTK/N, IBMAV/N, NAV/N, NShld 2.33+
Removal Instructions: Delete infected files
General Comments:
The Morgot or Morgot.823 virus was received in January, 1996,
along with three variants. Their origin or point of isolation
is unknown. Morgot is a memory resident infector of .EXE files.
When the first Morgot infected program is executed, this virus
will install itself memory resident as a low system memory TSR
of 1,136 bytes. Interrupts 21 and 24 will be hooked by the virus
in memory.
Once the Morgot virus is memory resident, it will infect .EXE
files when they are executed. Infected files will have a file
length increase of 823 to 837 bytes with the virus being located
at the end of the file. The program's date and time in the DOS
disk directory listing will have been updated to the current
system date and time when infection occurred. The following
text string is visible within the viral code:
"MORGOT"
Some .EXE files will fail to function properly once Morgot
infects the file.
Known variant(s) of Morgot are:
Morgot.841: Also received in January, 1996, this is an 841 byte
fast infector version of the Morgot virus described above. It
becomes memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program
from DOS 5.0, will have decreased by 2,960 bytes. Interrupts
21 and 24 will be hooked by the virus in memory. Once this
variant is memory resident, it will infect .EXE files when they
are executed or opened, but not when copied. Infected files
will have a file length increase of 841 to 855 bytes with the
virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered.
The following text string is visible within the viral code:
"-=MORGOT 2=-"
Origin: Unknown January, 1996.
Morgot.948: Also received in January, 1996, this is a 948 byte
variant of the Morgot virus described above. It becomes memory
resident at the top of system memory but below the 640K DOS
boundary, not moving interrupt 12's return. Available free
memory, as indicated by the DOS CHKDSK program from DOS 5.0, will
have decreased by 3,072 bytes. Interrupts 21 and 24 will be
hooked by the virus in memory. Once this variant is memory
resident, it will infect .EXE files when they are executed.
Infected files will have a file length increase of 948 to 962
bytes with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing will
not be altered. The following text string is visible within
the viral code:
"-=MORGOT 3=-"
System hangs frequently occur when programs are executed.
Origin: Unknown January, 1996.
Morgot.1017: Also received in January, 1996, this is a 1,017 byte
variant of the Morgot virus described above. It becomes memory
resident at the top of system memory but below the 640K DOS
boundary, not moving interrupt 12's return. Available free
memory, as indicated by the DOS CHKDSK program from DOS 5.0, will
have decreased by 3,152 bytes. Interrupts 21 and 24 will be
hooked by the virus in memory. Once this variant is memory
resident, it will infect .EXE files when they are executed.
Infected files will have a file length increase of 1,017 to 1,031
bytes with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing will
not be altered. The following text string is visible within
the viral code:
"-=MORGOT 4=-"
Origin: Unknown January, 1996.