Mummy is a memory-resident companion infecter, creating an infected .COM file containing the virus for every targeted .EXE file. It is a member of Qark's Incest "family", which in includes Daddy, Sister and Brother. It appeared in the July 1994 issue of VLAD magazine, along with other members of the Incest family.

Behavior

Under MS-DOS if no file extension is specified to execute a file, .COM had priority over .EXE. These 'infected' .COM files ran the virus, then executed the original .EXE file. Mummy first executes the original .EXE file when run and then goes resident by directly hooking INT 21h and calling INT 21h, AX=3100h (Terminate and Stay Resident).

Mummy is encrypted, and also uses a similar prefetch trick to the one used by 'Daddy', in an attempt to avoid debugging, F-PROT and Thunder-Byte Anti-Virus. Mummy uses an interesting stealth mechanism. Companion .COM files are created with the 'hidden' attribute set. When ASCII FindFirst is called (INT 21h AH=4Eh), Mummy removes the 'hidden' bit from the requested attributes mask so that hidden files are not enumerated. This leads to many anti-virus programs not seeing the companion infections.

Mummy includes the text strings:

[Mummy Incest] by VLAD of Brisbane.
Breed baby breed!

Sources

Original research by JPanic aka @JPanicVX