Murphy is a Bulgarian virus that is very similar to Eddie. Some of its code may have been directly taken from that earlier virus.

Behavior

When Murphy is executed, it becomes memory resident. It infects any .com or .exe file that is executed or opened, appending its code to the end of the file. It will remove the transient part of COMMAND.COM from memory, forcing it to be reloaded and therefore infected.

Murphy will not infect files longer than its own length. Any .com files larger than 64,003 bytes will not run once infected. It contains a message that is never displayed: "Hello, I'm Murphy. Nice to meet you friend. I'm written since Nov/Dec. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory."

Variants

• Murphy.1284- Similar to the original, but 1284 bytes. there is also a very similar 950-byte variant.
• Murphy.2- In this 1521-byte variant, the message is changed to "It's me - Murphy. Copywrite (c)1990 by Lubo & Ian, Sofia, USM Laboratory.". It will jump to the ROM Basic interpreter, causing any work that it not saved to be lost. There is also a slight difference in how the virus checks if it is in memory, using function 4B59h of INT 21h rather than 4B4Dh.
• Murphy.1480- Similar to Murphy.2, but 1,480 bytes. There is also a 1,477 byte version that is similar.
• Amilia- this variant is 1,614 bytes and will not infect files smaller than this. If its message is to be believed, it was released in Montreal, Canada in 1991 December. After 16 hours, the virus displays a green smiley that bouces off the sides of the screen, similar to PingPong. If an .exe file is executed on Sunday, it displays a message: "AmiLiA I Virii - [NukE] Released Dec91 Montreal (C) NukE Development Software Inc".
• Badtaste- tries to format disks on Monday and displays the text: "Bad Taste Ltd. (C) 1991 by Odrowad Trow…..who am I???". It may also delete .exe files.
• Brothers- this variant is 2,045 bytes long and contains the text: "Brothers in arm.Copyright (C) 1990. V 1.0".
• Cemetery- 1,417 bytes long and contains the text "CEMETERY".
• Digger- at 10:00 and 17:00 (5:00 PM), this 600 byte variant displays an image. It also contains the text string "DIGGER IS MY LOVE!".
• Kamasya- 1098 bytes long and contains text in Sanskrit:

  Kamasya nendriya pritir
  labho jiveta yavata
  jivasya tattva jijnasa
  nartho yas ceha karmabhih

• Migram- There are two variants of this virus, one 1,219 bytes long and another just two bytes over that. On Saturdays, it formats drives and displays the text:

  ╔════════════════════╗

  ║  MIGRAM VIRUS 1.0  ║

  ║    (C) 1991 IVL    ║

  ╚════════════════════╝

• Nuke- every second month, this 1,072 byte variant erases the contents of drive C:.
• Swami- When files with the letters AN, LD, or RJ are executed, the computer reboots. On April 15, it deletes .exe files as they are run and does the same with .com files on any Saturday. This variant is 1250 bytes long. It contains text that refers to the founder of the International Society for Krishna Consciousness: "Bhaktivedanta Swami Prabhupada (1896-1977)".
• Tormentor- destroys Pascal source (.pas) files. It also contains the text "-=0TORMENTOR!0=-". The original is 1,024 bytes long and a subvariant is 1,040 bytes long. The subvariant contains the text strings "NUKE!", "TORMENTOR,soldier of -=DY=-" and "[Thanks DAv!] DEMORALIZED YOUTH!".
• Woodstock- destroys .hlp files and contains text:

   Woodstock- destroys .hlp files and contains text:
  +---------+---+---+--+----+-----+
  |Woodstock|(C)|'93|by|GROG|Italy|
  +---------+---+---+--+----+-----+
  >>4/93<<
  -=0 Povero Woodstock... Se vola piu' alto
  di tre metri, gli esce sangue dal becco. 0=-
  >>4/93<<

The text in Italian says: Poor Woodstock… If you fly more 'than three meters high, the blood comes from the spout.

Diabolik

This 1,171-byte variant infects only .exe files and erases .com files. If an .exe file is executed on a Monday, it formats drive C:. The virus also contains text: "Diabolik Ltd. (C) 1991 by Odrowad�Trow".
There is a 1,172-byte subvariant sometime known as Finger or Diabolik.B whose only other difference aside from infection length is the text:

  Cannot remember what I was doing!!
  Insert fingers in ears and reboot please

Erasmus

If an .exe file is run when it has a name ending in AN, HA or IP, this 1,682 byte variant will restart DOS. If an .exe file is opened or run on a Thursday, it formats drive C:. If the user opens or runs a .com file on Monday, the virus erases it. The virus also contains an Italian poem:

  Gli Dei si mostreranno agli uomini,
  Quando essi saranno autori di grande conflitto,
  Prima il Cielo visto sarà con spada e lancia,
  Che verso la mano sinistra porterà più grande afflizione.

  Alla rivoluzione del grande numero sette,
  Apparirà ai tempi giochi d'Ecatombe,
  Non lontano dalla grande età del millennio
  Coloro che entrarono usciranno dalle loro tombe.

  Saint-Rémi, 14 dicembre 1533

The translation of this poem is:

  The gods will show to men,
  When they are authors of great conflict,
  Before the sky will be seen with sword and spear,
  That the left hand to bring more great affliction.

  The revolution of the great number seven,
  At the time games of carnage,
  Not far from the great age of the millennium
  Those who went will emerge from their tombs.

Grog

Grog- depending on the system timer, it may display the following text:

  C'erano una volta due topi che vivevano in un museo.
  Una sera, dopo la chiusura, il primo topo si infilo' nella vetrina contenente
  le uova di uccelli rari.
  Prima di accorgersene, si era gia' perso.
  "Aiuto!", grido' al suo amico.
  "Aiutami a uscire dall'ovile!"

  There were once two mice who lived in a museum. 
  One evening after closing, the first mouse was put on the window containing 
  eggs of rare birds. 
  Before realizing it, had already 'lost. 
  "Help!" Cry 'to her friend. 
  "Help me to get out dall'ovile!"

  0OVILE0
  Grog
  0GROG4EVER00_\(0_0)/_0
  >-> Ovile (C) '93 by GROG - Italy <-<

Variants by Cracker Jack

An Italian cracker who went by the name "Cracker Jack" created a number of variants. They were mostly similar, with the exception of the virus length, and some messages.

• Murphy.1399- after an infected file is executed it displays "Bad command or file name" and exits. It contains the following text:

  SaThAnYk Possession, (c) by Cracker Jack 1991 Italian
  Virus Research Laboratory Your PC is possessed by
  the Devil!!!!

• Murphy.1650- contains the text:

  Murphy IV Virus (c)1992 by Waleri Todor
  - Dark Avenger - Cracker Jack Sofia-Milan
  New USM/IVRL Laboratory.

Delyrium

• Delyrium.1638- this variant displays multiple balls bouncing off of the screen. If an infected .exe file is executed on Tuesday, it will format the hard drive. It contains the text: "Created by Cracker Jack 1991 (c) IVRL 1991 (Ivrl Head Quarter, Milan Italy) This virus is a variant of Delyrium (c) by Cracker Jack IVRL". In January, the screen will shake.
• Delyrium.1778- similar to 1638, but with slightly different text: "(c) IVRL 1991 (Ivrl Head Quarter, Milan Italy)Delyrium Virus - Created by Cracker Jack 1991 Copyright by Italian Virus Research Laboratory 1991 …..because the dead is not so far….and the horror will be with you".
• Delyrium.1780- displays the message Delyrium Virus - "Created by Cracker Jack 1991 Copyright by Italian Virus Research Laboratory 1991 …..because the dead is not so far….and the horror will be with you". There is also a 1,788 byte variant.

Goblin

Goblin formats the hard drive whenever a file with the letters AN, HK, PS or ND is opened or run. This 1,951-byte variant contains long strings of text text:

  (c) by Cracker Jack 1991 Italian Virus Research Laboratory
  Patricia does not function correctly, because I haven't run
  it before send. Now I'm debugging it...ehehehehehahahahahahah
  Smack Virus....what a horrible name!!!!!!!!!!!!!!!!!!!
  Compliments to the Dark Avenger for the nice viruses...excuse me
  if I create some variants of your beautiful viruses...Viruses are
  a nice thing!!   

  What a horrible program, i wish not execute it!

  $

  I'm hungry!! Why don't you buy me a Cheesburger??

  $

  Goblin the Black Death  (c) by Cracker Jack IVRL '91

HIV

There are two variants of this virus. One is 1,614 bytes long and the other is

  Original HIV Virus - Release 1.0 (C) by Cracker Jack

  HIV Virus - Release 1.0

  Created by Cracker Jack

  (C) 1991 Italian Virus Laboratory

Locker

This variant is 1642 bytes long. In April, it present a fake prompt: "Password ->". Under some conditions, it will infect a file and display "Password accepted!" or it may display "Incorrect Password, sorry!" and exit to DOS. It also contains the text strings:

  (c) IVRL 1991 (Ivrl Head Quarter, Milan Italy)   
  all rights reserved!!!
  Locker Viri - Created by Cracker Jack 1991

Napalm

This 2,326 byte virus, depending on the time, may format disks, install a copy of Stoned.Military or display the following text:

  Napalm Death virus 1.0  (C)reated by Cracker Jack 1992  IVRL All rights res.
  Special thanks to Maria....for the good idea!!!!

  Napalm Death 1.0  (C)reated by Cracker Jack 1992 IVRL All rights res.
  Special thanks to Swed.Dis. and Maria (T.T. this virus!!)

Pest

This variant erases .com files and disk sectors. It displays the following text on the screen:

  (c) by Cracker Jack 1991 Italian Virus Research Laboratory
  Created,Developed and Written by Cracker Jack, All rights reserved

  What a horrible program, i wish not execute it!

  $ Con questo virus dichiaro guerra a tutti i POVERI (ahhh
  quanto sono poveri!)  cosiddetti 'Virus Researchers' del
  globo...provate a prendermi..ahahahah  l'IVRL e'forte.....vincerà!!!!
  Virus Writers di tutte le nazioni...uniamci! 

   I'm hungry!! Why don't you buy me a Cheesburger??

  $

   Your PC is infected with the Intergalactic Pest!

The translation of the section in Italian is: With this virus, I declare war on all POOR (ahhh because they are poor!) so-called 'Virus Researchers' of the globe … .. try to get the IVRL, and hard ahahahah ….. it will win! Virus Writers of all nations … unite!

Smack

When the user executes files with the letters AN., HK. or HA. with a .com or .exe extension, the virus restarts DOS. If an infected fie is executed on Friday the virus asks "Is today Friday? (Y / N)". If the user answers "Y", the virus displays "Sorry but on Friday I wish not work!!" and prevents the file from executing. If the user answers "N" the virus displays the text "You are untruthful!! For punishment I format your HD Fat!!". It also contains the text: "This virus was written in Italy by Cracker Jack 1991 IVRLAll rights reserved, please don't crack this virus!!"
It also contains the extra text:

  Special message to Patricia Hoffman: I love you!!!!!!!! SmackSmack!!
  Can you give me your telephone number??? Ciao bellissima!
  Is today Friday? (Y/N)

  Virus Research LaboratoryPatricia does not function correctly, because I haven't
  run it before send.
  Now I'm debugging it...ehehehehehahahahahahahSmack Virus....what a horrible
  name!!!!!!!!!!!!!!!!!!!
  Compliments to the Dark Avenger for the nice viruses...
  excuse me if I create some variants of your beautiful viruses...
  Viruses are a nice thing!!What a horrible program, i wish not execute it!
  I'm hungry!! Why don't you buy me a Cheesburger??
  Goblin the Black Death  (c) by Cracker Jack IVRL '91

Origin

Vesselin Bontchev met the person who created this virus. He was approached one day by a man who claimed to have found a new virus that could not be stopped by a memory-resident program. Bontchev thought this sounded very similar to many other Bulgarian viruses, so he asked the man to describe the virus. The virus sounded vary similar to another very common virus, leading Bontchev to dismiss it as one he had already studied. The man said, "It's impossible that you already know it. I created it yesterday and have not released it yet!".

The creator later said that all of his disks had been stolen, and one of them contained the virus. He claimed to have not released the virus intentionally. Bontchev described him as a naive "apprentice" type of virus creator (what might today be known as a "script kiddie") who takes code from others and creates a virus for fun and prestige among other wannabe hackers.

Lubo & Ian are Lubomir Mateev Mateev and Iani Lubomirov Brankov, (at that time) residents of Sophia, Bulgaria. There is no actual "USM Laboratory".

Name

Murphy gets its name from the text that appears in its code. Antivirus products generally go with this name.

Sources

Vesselin Bontchev, Morton Swimmer. Bulgarian Academy of Science, University of Hamburg, Virus Test Center, The Murphy viruses. 1990.06.12

Kaspersky Labs. Viruslist.com, Virus.DOS.Murphy.1951.

-. -, Virus.DOS.Murphy.Delirium.1638.