Mummy Virus
Virus Name: Mummy
Aliases: Mummy 1.2
V Status: Rare, Except Mummy 2.1 which is Common in USA
Discovered: January, 1992
Symptoms: .COM file growth; TSR; system hangs on 8088 based systems
Origin: Taiwan
Eff Length: 1,399 - 1,413 Bytes
Type Code: PRsE - Parasitic Resident .EXE Infector
Detection Method: ViruScan, F-Prot, AVTK, NAV, ChAV,
IBMAV, Sweep, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Mummy virus was received in January, 1992 from an unknown
origin. It is originally from Taiwan. This virus is a memory
resident infector of .EXE programs. This virus will frequently
hang 8088 based systems. It is based on the Jerusalem virus.
When the first Mummy infected .EXE program is executed, the Mummy
virus will install itself memory resident as a low system memory
TSR of 1,680 bytes. It will appear as an increase in the size
of the Config area of system memory when memory is mapped by some
utilities. Interrupt 21 will be hooked by the virus.
After the Mummy virus is memory resident, it will infect .EXE
programs when they are executed or opened. Infected programs will
have a file length increase of 1,399 to 1,413 bytes with the virus
being located at the end of the infected program. The file's date
and time in the DOS disk directory listing will not have been
altered.
There are no text strings within the viral code in infected
programs. The following text strings are encrypted within the
viral code of this virus:
"Mummy Version 1.2"
"Kaohsiung Senior School"
"Tzeng Jau Ming presents"
"Series Number = [xxxxx]"
It is unknown what Mummy does besides replicate.
Known variant(s) of Mummy are:
Mummy 1.0: Received as the Platinum virus in January, 1992,
Mummy 1.0 is an earlier version of the Mummy virus
described above. It becomes memory resident in low
system memory. Available free memory, as indicated by
the DOS CHKDSK program, will have decreased by
approximately 1,856 bytes. Interrupts 03 and 21 are
hooked. Once resident, Mummy 1.0 infects .EXE programs
when they are executed or opened. Infected programs
increase in size by 1,489 to 1,503 bytes with the virus
at the end of the file. There will be no change to the
file's date and time in the DOS disk directory listing.
The following text is encrypted within the viral code:
"Mummy Version 1.00.00"
"Kaohsiung Senior School"
"Tzeng Jau Ming presents"
"Series Number = [xxxxx]"
Origin: Taiwan January, 1992.
Mummy 2.1: Discovered in multiple locations in the United
States and the Republic of South Africa in May, 1992.
Mummy 2.1 is a later version of the Mummy virus
described above. Its memory resident TSR is 1,632 bytes,
hooking interrupt 21. It will infect .EXE programs when
they are opened or executed, adding 1,364 to 1,378 bytes
to the file's length. The encrypted text strings in this
variant are:
"PC Mummy Vers. 2.1"
"Kaohsiung Senior School"
"Tzeng Jau Ming presents"
Origin: Taiwan May, 1992.
Mummy 2.1B: Isolated in the United States in May, 1992, this
variant is functionally equivalent to Mummy 2.1B, and
has some minor alterations.
Isolated: United States May, 1992.
Mummy 2.1C: Submitted in March, 1993, Mummy 2.1C is a minor
variant of Mummy 2.1. The following text strings are
encrypted within the viral code:
"Saddam Hussein Ver. 1.1"
"Virus makers."
"Made by T.Z.M present."
Origin: Unknown March, 1993.