MVF Virus


 Virus Name:  MVF 
 Aliases:     Arka, Arkanoid 
 V Status:    Rare 
 Discovery:   July, 1992 
 Symptoms:    .COM file growth; TSR; system hangs 
 Origin:      USSR 
 Eff Length:  1,898 - 1,909 Bytes 
 Type Code:   PRsCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, Sweep, ChAV, 
                    NAV, IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, AVTK/N, Sweep/N, NAV/N, IBMAV/N, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The MVF, or Arkanoid, virus was received in July, 1992.  It is 
       reported to be from the USSR.  MVF is a polymorphic, memory 
       resident infector of .COM files, including COMMAND.COM. 
 
       When the first MVF infected program is executed, the MVF virus will 
       install itself memory resident as a low system memory TSR of 
       approximately 2.1K.  Interrupt 21 will be hooked by MVF in memory. 
 
       Once the MVF virus is memory resident, it will infect .COM programs 
       when they are executed.  If COMMAND.COM is executed, it will become 
       infected.  Programs infected with the MVF virus will have a file 
       length increase of 1,898 to 1,909 bytes with the virus being located 
       at the end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text strings 
       are encrypted within the MVF viral code, and are not visible in 
       infected files: 
 
               "????????COM" 
               "THE MVF-FILEVIRUS" 
               "Programmed 1991 by the MVF" 
               "MAD Virus Factory" 
               "No. 0001" 
               "*.COM" 
 
       Systems infected with MVF will experience system hangs when some 
       .COM programs are executed.  These hangs will occur very 
       frequently once the boot copy of COMMAND.COM becomes infected. 
 
       Known variant(s) of the MVF virus are: 
       MVF-1954: Based on the MVF virus described above, this variant's 
                 size in memory is approximately 2.2K.  It adds 1,954 to 
                 1,969 bytes to the .COM programs it infects.  Programs are 
                 infected when they are executed or opened for any reason. 
                 The virus will be located at the end of the file.  The 
                 program's date and time in the DOS disk directory listing 
                 will not be altered.  The following text strings are 
                 encrypted within the viral code: 
                 "THE MVF-FILEVIRUS" 
                 "Programmed 1991 by the MVF" 
                 "MAD Virus Factory" 
                 "28/9/91   -   V1.6" 
                 "*.COM" 
                 As with the original virus, system hangs may occur when 
                 some .COM programs are executed. 
                 Origin:  USSR  November, 1992. 
       MVF-1954B: Similar to the MVF-1954 variant, this is a very 
                 minor variant.  It doesn't always infect .COM programs 
                 when they are opened. 
                 Origin:  USSR  November, 1992. 
       MVF-1954C: Similar to the MVF-1954 variant, this is a very 
                 minor variant. 
                 Origin:  Unknown  April, 1993.

Show viruses from discovered during that infect .

Main Page