Virus Name: Mule
V Status: Rare
Discovered: August, 1991
Symptoms: .COM & .EXE growth; TSR; Black box on screen
Eff Length: 4,112 - 4,126 Bytes
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N
Removal Instructions: Delete infected files
The Mule virus was discovered in August, 1991. It originated in
Thailand. Mule is a memory resident generic infector of .COM
and .EXE files. It will also infect COMMAND.COM. Mule is based
on the Jerusalem family of viruses.
The first time a program infected with Mule is executed, Mule
will become memory resident as a low system memory TSR of 4,096
bytes. Interrupts 08 and 21 will be hooked by the virus.
Once Mule is memory resident, it will infect .COM and .EXE files
when they are executed. If COMMAND.COM is executed, it will
become infected. Programs which are already infected with Mule
will become reinfected.
Mule infected .COM programs increase in size by 4,117 bytes with
the first infection. At this time, the virus will be located at
the beginning of the infected file. Later, if the Mule virus
reinfects the program, the virus will also be located at the end
of the infected file. During the reinfection, the infected .COM
file is treated as an .EXE file.
Mule infected .EXE programs increase in size by 4,112 to 4,126 bytes
with the first infection, and 4,112 bytes upon later reinfections.
The virus will always be located at the end of the infected .COM
Programs infected with Mule will contain the text string "Mule",
from which the virus derives its name.
Thirty minutes after Mule became memory resident, a black box will
appear on the low left hand side of the system display, similar to
the graphic effect of many members of the Jerusalem family.
It is unknown what Mule does besides replicate.