===== Computer Virus Catalog 1.2: "Murphy-1" Virus (12-June-1990) ==== Entry.................. "Murphy-1" Virus Alias(es).............. --- Strain................. Murphy Virus Strain Detected: when......... December, 1989 where........ Sofia, Bulgaria Classification......... Program virus, indirect action Length of Virus........ 1277 bytes added to EXE and COM files. ------------------------ Preconditions ------------------------------- Operating System(s).... MS-DOS Version/Release........ 3.xx and upward Computer models........ IBM-PC's and compatibles -------------------------- Attributes--------------------------------- Easy identification.... The virus contains the string: "Hello, I'm Murphy. Nice to meet you friend. I'm written since Nov/Dec. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory." See also damage. Type of infection...... Murphy is a program virus that appends itself to any COM or EXE file larger than 1277 bytes. COM files must be smaller than 64226 bytes, however if a COM file larger than 64003 is infected, it will not run. A file is judged as infected if the length between program entry and end of file is the same as the virus length. The virus also locates the original INT 13 handler and unhooks any other routines that have been hooked onto this interrupt and restores the interrupt to the original handler. Murphy installs itself into memory by modifying the MCB chain. It determines whether it is already in memory by executing INT 21 function 4B59h. If the carry flag is not set on return, then the memory is assumed to be not infected. Infection trigger...... Infects file on execution and opening. Media affected......... Any logical drive. Interrupts hooked...... INT 21 functions 4B, 3D00, 6C00 (bl=0) are used to infect files, and INT 24 and 13 are captured to mask out errors. Damage................. The speaker is turned on and off which produces a clicking noise. Damage trigger......... This happens between 10:00 and 11:00 (AM). Particularities........ INT 21 function 6C00 is the DOS 4.xx extended open/create function. This makes Murphy-1 one of the first viruses to make use of DOS 4.xx The virus knocks out the transient part of COMMAND.COM forcing it to be reloaded and thereby infected. Similarities........... Much of the code was taken from Eddie-1 /Dark Avenger. This is the precursor to Murphy-2. ---------------------------- Agents ---------------------------------- Countermeasures........ Checksumming programs will detect the virus, but have the side-effect of infecting every file on the disk if the virus is in memory. F-DLOCK in Fridrik Skulason's F-PROT package prevents files from being infected. - ditto - successful.. --- Standard Means......... --- ----------------------- Acknowledgements ----------------------------- Location............... Bulgarian Academy of Science and University of Hamburg, Virus Test Center Classification by...... Vesselin Bontchev Documentation by....... Morton Swimmer Date................... 12-June-1990 Information source..... --- ======================= End of "Murphy 1" Virus ====================== ===== Computer Virus Catalog 1.2: "Murphy-2" Virus (12-June-1990) ==== Entry.................. "Murphy-2" Virus Alias(es).............. --- Strain................. Murphy Virus Strain Detected: when......... April, 1990 where........ Sofia, Bulgaria Classification......... Program virus, indirect action Length of Virus........ 1521 bytes added to EXE and COM files. ------------------------ Preconditions ------------------------------- Operating System(s).... MS-DOS Version/Release........ 3.xx and upward Computer models........ IBM-PC's and compatibles -------------------------- Attributes -------------------------------- Easy identification.... The virus contains the string: "It's me - Murphy. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory." See also damage. Type of infection...... Murphy is a program virus that appends itself to any COM or EXE file larger than 1521 bytes. COM files must be smaller than 63982 bytes. A file is judged as infected if the length between program entry and end of file is the same as the virus length. The virus also locates the original INT 13 handler and unhooks any other routines that have been hooked onto this interrupt and restores the interrupt to the original handler. Murphy installs itself into memory by modifying the MCB chain. It determines whether it is already in memory by executing INT 21 function 4B59h. If the carry flag is not set on return, then the memory is assumed to be not infected. Infection trigger...... Infects file on execution and opening. Media affected......... Any logical drive. Interrupts hooked...... INT 21 functions 4B, 3D00, 6C00 (bl=0) are used to infect files, and INT 24 and 13 are captured to mask out errors. Damage................. A ball (character 07) bounces over the screen. Damage trigger......... This happens if the virus is active between 10:00 and 11:00 (AM). Particularities........ INT 21 function 6C00 is the DOS 4.xx extended open/create function. This makes Murphy (1/2) one of the first viruses to make use of DOS 4.xx The virus knocks out the transient part of COMMAND.COM forcing it to be reloaded and thereby infected. Similarities........... This virus was derived from Murphy-1. The code has been cleaned up a bit, but the main difference is in the damage. Much of the code was taken from Eddie-1 /Dark Avenger. The bouncing ball effect looks very much like the Italian-virus, but the code shows no similarities. ---------------------------- Agents ---------------------------------- Countermeasures........ Checksumming programs will detect the virus, but have the side-effect of infecting every file on the disk if the virus is in memory.F-DLOCK in Fridrik Skulason's F-PROT package prevents files from being infected. (It was loaded before the virus was.) - ditto - successful.. --- Standard Means......... --- ----------------------- Acknowledgements ----------------------------- Location............... Virus Test Center, University of Hamburg Classification by...... Morton Swimmer. The source listing came from Lubomir Mateev, one of the "authors" of this virus. It was nicely commented in Bulgarian. Documentation by....... Morton Swimmer Date................... 12-June-1990 Information source..... --- ======================= End of "Murphy-2" Virus ======================