PS-MPC | |
---|---|
Type | Virus Generator |
Creator | Dark Angel |
Date Discovered | 30-JUL-1992 |
Place of Origin | United States |
Source Language | C |
Platform | DOS |
File Type(s) | .com, .exe |
Reported Costs |
PS-MPC, which stands for Pretty Slick Multimedia Personal Computer or Phalcon-Skism Mass Produced Code was a virus generator written by Dark Angel of Phalcon/SKISM. It appeared in 1992 and saw use as late as 1997.
Table of Contents
|
Features
PS-MPC puts out an assembly source compatible with the MASM and TASM assemblers (though Dark Angel says MASM is a terrible assembler and recommends TASM). It has over 150 encryption techniques randomly generated each time the generator is run. It is capable of infecting both .com and .exe files. Users may choose to infect COMMAND.COM or leave it alone. The generator features two types of traversals. It also supports critical error handling.
One feature that was omitted was activation routines, since Dark Angel believed anyone relying on a generator to make their viruses should not be using them. He acknowledged the possibility that someone could copy paste malicious code from another malware into a generatd assembly file. Generated files did include a stub for activation conditions when found where the writer could insert their own into the source code.
PS-MPC is run as a command line program taking config files (with .CFG extension) to create a virus. It allows the user to create multiple viruses with one commmand. For example "PS-MPC CONFIG1.CFG, CONFIG2.CFG, CONFIG3.CFG" would create three viruses with potentially very different features.
The configuration files themselves are text files containing parameters defining the output of the generator. Dark Angel included a "SKELETON.CFG", which contained all the parameters PS-MPC would accept and the defaults of these parameters. The files were designed to be very easy for beginners to read so they did not require much explanation.
Also of note is the fact that Dark Angel deliberately omitted any GUI or IDE for the generator. Though this might make it intimidating at first for new users, Dark Angel believed this would filter out potentially dangerous people who needed a lot of hand holding. It also made it very easy to script, making it possible to generate thousands of viruses with a single DOS shell command.
Origin
PS-MPC was coded in Turbo C by American virus writer Dark Angel. Its published source code is dated the 30th of July in 1992. Dark Angel released the virus as freeware into the public domain. He dedicated it to the VX and antivirus communities and acknowledged inspiration from NoWhere Man's VCL, which he described as "excellent". The generator was not intended to spread dangerous code, but to act as a learning tool for beginning virus writers to learn to write effective code.
Dark Angel admitted the generator was hastily written and most of the code was completed in less than two days. The rest of the features were added gradually over the rest of the week. The version included in Issue 8 where it was originally released was considered a pre-1.0 version, as it likely contained bugs.
Dark Angel did continue work on the generator for a while after its initial release. Initial versions could only create direct action infectors, but later versions allowed for memory resident viruses. He also released a "G2" version that included anti-debugging and anti-emulation features.
PS-MPC Viruses
Around 15,000 unique viruses were created with Phalcon-Skism Mass Produced Code, mostly by members of the VX scene and their allies to flood antivirus vendors' FTP sites with reports of new viruses. Three of them, 644, Walkabout, and Math Test, were found in the wild. Unless otherwise noted, they don't alter the file's date and time, and are appenders.
August 1992 (Crumble)
Crumble was one of the first versions reported, appearing in the US in August of 1992. It checks the current directory and infects two files each time it is run. The files can be either .exe or .com and will grow by 778 bytes. The tinme and date will not be altered. It takes its name from the text found in the viral code, "[CrumblKouch] Kouch".
September 1992 (644, Abraxas, Death 2, Mimic-Den Zuk, Mimic-Jerusalem, No Wednesday, Z10, Zepplin)
644 (NOT FOUND IN COLLECTION) appeared in September of 1992. It is a direct action infector of .com and .exe files. It avoids infecting COMMAND.COM. When executed, it will infect all compatible files in the current directory, appending its 644 bytes to the end. It does not alter the file's time and date in the directory listing. This virus is one of a few found in the wild in the US and Canada.
Abraxas is 546 bytes long. It is capable of infecting .com and .exe files, including COMMAND.COM, though shows a preference for .exe files. It appends itself to one program in the current directory each time an infected program is run. Abraxas will not always recognize a previously infected program, and reinfect the file. Infected programs will not run properly and return the user to the DOS prompt. The system may fail to boot when COMMAND.COM is infected. It gets its name from the text "[Z10] Abraxas" foind in the encrypted text.
Death 2 (NOT FOUND IN COLLECTION) is a 671 byte non-resident direct action infector that behaves very similarly to Abraxas. It contains the text strings "[MPC] The Virus Of Death 2" and "The Happy Hacker"
Mimic-Den Zuk (NOT FOUND IN COLLECTION) is one of the larger versions, weighing in at 4,893 bytes. It only infects .com files, but does interact with .exes. It infects two .com files every time an infected program is executed. It contains the text strings "DENZ-SIMCOM", "Program is the wrong length", and "check for virus infection".
On Fridays, it activates a payload. When an infected .com file is executed, it will overwrite some .exe programds in the current directory with a trojan. When this trojan is executed, it diaplays the Denzuko logo, then returns to the DOS prompt. The trojan itself is 4,243 bytes long, taking up the majority of the virus.
Mimic-Jerusalem is 2,832 bytes long and infects .com and ,exe files, though avoids COMMAND.COM. It will infect either all .exe or all .com files in the current directory when an infected program is executed. It may infect .exe files multiple times. It contains text string which are encrypted, but may be visible in trojanized .exe files: "JERU-SIM.COM V1.02", "Written by URN KOUCH", and "Copyright (c) URN KOUCH 1992.".
This version also has a payload that activates on Fridays. When an infected program is executed, some .exe files will be trojanized. These files, when executed, will mimic the behavior of the Jerusalem virus.
No Wednesday (NOT FOUND IN COLLECTION) is a 520 byte virus that infects .com files, but avoids COMMAND.COM. It infects one file in the current directory each time an infected program is executed. It contains the encrypted text strings "[MPC] [No Wednesday]", "* by Goethe *", and "for [AKL/4269]". It activaes a payload on Wednesday, giveing an error message any time the user runs an infected program, saying "File not found." and returning the user to the DOS prompt. The programs will run normally on any other day of the week.
Z10 infects two .com or .exe files in the current directory, avoiding COMMAND.COM and preferring .exe files. It is 704 bytes long and contains the text "[PF] [Z_10] Paul Ferguson".
Zeppelin or SwanSong* infects five .com or .exe files in the current directory with a preverence for .exe files and may infect COMMAND.COM. It is 1,508 bytes long. It contains the text strings "Ripped this Motherfucker off", "SHIT!!! Wont work….", and "[pAgE] [SwanSong] Gandolph". It activates a payload with every 5th .exe infection, displaying a color image of a Zepplin and making sound on the system speaker. On monochrome screens, it may appear as random characters. It may cause system hangs when infecting .com files.
October 1992 (203, McWhale, Kersplat, Walkabout)
203 infects a single .com file in the current directory and does little other than replicate.
Joshua is a 965 byte direct action infector of two .com and .exe (preferring .exe) files in the current directory, though it avoids COMMAND.COM. If it doesn't find any or runs out, it will look in the directory above it. It may sometimes display the following message with each execution:
Guess what ???
You have been victimized by a virus!!! Do not
try to reboot your computer or even turn it
off. You might as well read this and weep!
McWhale.1125 weighs in at 1,125 byte and is a direct action infector of .com and .exe files. There is also a 1,022 byte variant. It infects two .exe or .com files each time an infected program is executed, with preference for .exe files. Roughly 40% of the time when an infected program is executed, the virus displays a message in the middle of the system display, scrolling from right to left on one line: "Beware!!!………………………… Anti-Virus…..Man…..John…..McAfee…..wrote…..the WHALE…..virus!!………………………… HONEST!!!…………….". It may less frequently display the text, "- (c) 1992 Abraxas Warez……..". It also contains the text strings (not displayed) " ABRAXAS -" and "[MPC] [McAfee' Whale] [pAgE]". It may cause system hangs.
Kersplat (NOT FOUND IN COLLECTION) was one of the first memory resident viruses from this generator, appearing in October, 1992. It is 670 bytes long. When the first infected program is executed, it becomes memory resident at the top of system memory just below the 640K DOS boundary. It takes up 2,048 bytes of total system and available free memory, as indicated by the DOS CHKDSK. Once resident, it infects .exe and .com files, including COMMAND.COM, as they are executed. It contains the text "[KERSPLAT] THE STRANGER".
Walkabout is memory resident, installing itself at the top of system memory just below the 640k DOS boundary taking up 2,048 bytes of total system and available free memory. It hooks Interrupt 21 in memory. While resident, it infects .com and .exe files as they are executed, including COMMAND.COM. It appends its 573 bytes to the end of the file.
This version appeared in October of 1992. It was also found wild in North America. When decrypted, the text "[WALKABOUT TSR VER 1.0] THE STRANGER" can be found in the viral code.
November 1992 (696, Eclypse, Page, Schrunch, Skeleton, Sunday Death, Tongue, Toys, Anathema, Clint)
696 infects three .com or .exe files in the current directory and may infect COMMAND.COM.
Eclypse is a 641 byte direct action infector of .com and .exe files and can infect COMMAND.COM It infects a single program in the current directory each time an infected program is executed, with preference to .exe files. It contains the text string "[MPC] [Eclypse] Abraxas".
Page weighs in at 570 bytes, and it infects both .com and .exe files, even COMMAND.COM. When executed, it will check to see if the .exe files are infected and infect ones it finds in the current directory first if not. When it finds previous infections on .exe files, it will then attempt to infect .com files. It gets its name from the string "[pAgE]". There is another version by this generator also called Page.B, discovered in May of 1993, but it does not seem similar.
Schrunch is 458 bytes long. It infects a single program in the current directory each time an infected program is executed. It contains the following text string, "[ZEB (C) 1992] [SCHRUNCH[ Abraxas 2]". On VGA systems, executing an infected program will cause the system display to be placed in 50 line mode, andmay cause some beeping. On non-VGA systems, this results in garbled characters.
Skeleton comes from Germany and infects three .com or .exe files in the current directory, possibly including COMMAND.COM with each execution. It is 556 bytes long. It contains the text string "[MPC] [Skeleton] Deke". It may cause system hangs when it runs out of files to infect.
Sunday Death is 644 bytes long and infectsd all .com and .exe files in the current directory, including COMMAND.COM. It contains the text strings "[BCA]", "Sunday Death — 1992 (c)BCA", and "Raven". It may cause system hangs when executed on Sunday.
Tongue behaves almost identically to Skeleton, minus the text strings. It is 597 bytes long.
Toys is 773 bytes long and infects two .com or .exe files in the current directory, including COMMAND.COM and preferring .exe files. It contains a few text strings: "All my toys are broken", "And so am I inside.", "The carnival has closed", "The carnival has closed", "Years ago…", and "[VCL/MPC]".
Anathema is a 588 byte memory resident virus. It takes 2,048 bytes in total system and available free memory. It infects .com and .exe files as they are executed, incliuding COMMAND.COM. It may corrupt file allocation table 1 including file allocation errors and cross-linking of programs and data files. The system may fail to boot after COMMAND.COM is infected. It includes the text "[ANATHEMA] THE STRANGER".
Clint is a 1,076 byte memory resident virus. When executed, it takes up 3,072 bytes in memory. It infects .com and .exe files, including COMMAND.COM as they are executed. It contains the text strings "[ANATHEMA] THE STRANGER", "[CLINT] (c) Copyright 1992 THE STRANGER", and "THIS VIRUS PROUDLY MADE IN THE USA!"
December 1992 (Napoleon Complex, Test 441, Wares D00d)
Napolean Complex is 729 bytes long. It infects three .com or .exe files in the current directory, possibly including COMMAND.COM with each execution, preferring .exe files. It contains the text "LMluvsSI", "Dynamite cums in small packages!", and "[NAPOLEAN COMPLEX v1.0] Nameless One — ANARKICK SYSTEMS". It may cause the system to hang when infected programs are executed.
Test 441 is 441 bytes long and infects three .exe files on each execution. When it has infected all .exe files in the current directory, it moves up in the directory structure. It contains the text "[MPC] [Test] Sam Hain".
Warez D00d is 1803 bytes long and infects .com, .exe, and .ovr files. It infects all files in the current directory, including COMMAND.COM. It may sometimes corrupt some .exe files. It may also display the message:
DONT'T YOU KNOW THAT PIRACY IS ILLEGAL
I am afraid that I am going to have to smash your Warez, d00d!!!
Go ahead! Call the police and tell them [NuKe] paid you a visit!
It also contains the encrypted texts strings:, "HEY!!! Blow ME, WaReZ FAGGOT" "You got sorta lucky!!!" "I am afraid that I am going to have to smash your WaReZ, d00d!!!" "Go ahead! Call the police and tell them" "[NuKe]" "paid you a visit!"
January 1993 (Cheesy, Chuang Tzu)
Cheesy is 381 bytes long and infects a single .exe file on each execution. It contains the text "[MPC] Dark Angel of PHALCON/SKISM" and "[DemoEXE] for 40Hex", suggesting it was conceived as a test by Dark Angel himself
Chuang Tzu is 970 bytes long and infects two .com or .exe files at a time, though avoids COMMAND.COM. It contains the text strings:
"No one has lived longer than a dead child,
and Methusula died young."
"Heaven and Earth are as old as I,
and ten thousand things are one."
"-- Chuang Tzu, 300 B.C."
February 1993 (Cinco de Mayo, Alien 1, Alien 3, Scarey)
Cinco de Mayo is 885 bytes long and only infects .com files, though avoids COMMAND.COM. It infects three .com files in the current directory each time an infected program is executed. It contains the following text strings:
"** Cinco de Mayo **"
"No trabajas hoy."
"[MPC] [VCL] [Cinco de Mayo]"
"Danzig Tanks to Dark Angel and Nowhere Man for their
excellent Virus creation programs! more to follow"
Alien-1 is a 571 byte memory resident virus infecting .com and .exe files, including COMMAND.COM. In memory it is 1,216 bytes.and infects files they are executed. It contains the text string "ALiEN 1 Leviathan =VC".
Alien-3 is a 625 byte memory resident infector of .com and .exe programs, including COMMAND.COM. It takes up 1,328 bytes in memory. Its code contains the text string "ALiEN 3 - Demon Spawn Leviathan =VC".
Scarey, weighing in at 739 bytes, is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. In memory it takes up 1,552 bytes. This version makes a buzzing noise on the system speaker while reading the system hard disk.
March 1993 (McWhale.1022, Hiccup)
McWhale.1022 functions similarly to the earlier version of McWhale with some differences in they payload. Approximately 40% of the time when an infected file is executed, it displays a message in a scrolling, diagonal formation on the system display:
"by McWhale - (c) 1992 McAfee Warez."
"McAfee, wrote the WHALE...."
"...and Solient Green is people"
It may also display the message "System reports appear".
Hiccup is a 533 byte memory resident infector of .com programs only, including COMMAND.COM. In memory it will take up 2,048 bytes. Its encrypted code contains the text strings "[N.I.T is a waste of money!]", "[Created at the National Institute of Technology]", "[Hiccup]", and "May the world fear the hiccup! Created Feb.1993"
April 1993 (Sucker)
Shock Therapy is a 620 byte memory resident infector of .com and .exe files including COMMAND.COM, taking 2,048 bytes in memory. It contains the text "Your HD is TOAST!Thanx to Shock Therapy!", "SHOCK THERAPY", and "TIaMaT".
Sucker is a 572 byte memory resident infector of .com and .exe files, including COMMAND.COM. It takes 2,048 bytes in memory. The following text string is encrypted in the viral code: "[MPC] Sucker (C) 1993".
Warez-1341, in spite of its name is not similar to the version appearing in December of 1992. It is 1,341 bytes long and only infects .com files. It infects all .com files in the current directory, except COMMAND.COM. It contains the text "- W A R E Z D 0 0 D -". It may sometimes corrupt the file allocation table when an infected file is executed.
May 1993 (Page.B)
Page.B is 780 bytes long and only infects .com programs, including COMMAND.COM. Page.B will infect the first .com file located in the current directory It does not check to see if the file was previously infected. Every time an infected file is run, another 780 bytes of virus gets added to the file. It may sometimes dislpay the text in multicolored letters, diagaonally scrolling:"Ancient Sages Is one of pAgEs". It contains the text (not displayed )"by»pAgE«(C)1992 TuRN-THE-pAgE".
June 1993 (Bamestra, Grease, Tim 3, Tim 4, Tim 5, War Dork, Who Cares, Math Test)
Bamestra has at least 10 different versions mostly around 530 bytes long (529, 530, 531, 534, 535, 536), which are similar except for slight differences in length. They infect only .exe files in the current directory with each run and contain the text "[MPC] [Bamestra] Frans Veldman".
Grease infects .com and .exe files, including COMMAND.COM and is 856 bytes long. Each time it is run, it will infect five file. This version may cause system hangs when an infected file is executed. It includes the following text strings: "You have been hit with the Grease Man virus.", "Listen to him on 92.3 or 94.1 FM in the NYC listening area from 6-10PM", "Monday-Friday. Give him a call at 1-800-544-9294 and tell him the good news!", and "Ohhh Schweet ahhh!".
Tim 3, 4, and 5 contain the text "[MPC] [TIM] Abraxas" and infect only one file each time it's executed. Tim 3 is 301 bytes long and only infects .com files. Tim 4 is 515 bytes and infects both .com and .exe files. Tim 5 is 401 bytes long and only infects .com files.
War Dork only infects .exe files and is a 553 bytes long. It infects three files in the current directory each time an infected file is run.It contains the text string "[MPC] War Dork A rombus".
Who Cares is one of the smaller versions at 181 bytes and only infects .com files, including COMMAND.COM. It infects all .com files in the current directory each time it is run. This version is a prepender, which is rare for viruses coming from the PS-MPC generator and it also changes the date and time of the infected file to the time of the infection.
Math Test is a 1,136 byte memory resident virus that infects .com and .exe files, even COMMAND.COM. IT takes up 2,384 bytes in memory and infects .com and .exe files as they are executed. It has a payload that activates between 09:00 and 10:00 in the morning. It displays the following prompt:
"It's time for a math test courtesy of YAM!
And the question is...
What is 00 + 00 ="
If the user types "00", the program the user intended to run is executed normally. Otherwise, it displays the text "WRONG!!!! TRY AGAIN!", and returns the user to the DOS prompt. the text "Admiral Bailey [MATH TEST VIRUS]" can be found in the encrypted viral code.
This version was found in the CD-ROM disk "Software Vault, Collection 2" in October 1993 in Helsinki, Finland.
July 1993 (Birthday, Cinco, DataDeath, Helmet, Iron Hoof 1, Iron Hoof 2)
Birthday is 1,104 bytes long and infects .exe files. This version infects one on the B: or C: drives each time it is executed. If there is no disk in drive B: and the virus tries to find a file there, the system will hang. Its encrypted code contains the text "This is the birthday of the great one.", "There will be no computer usage today.", "This is the second release of the weak virii, It is weak virii version % *.EXE ..".
Cinco is similar to the Cinco de Mayo version in all ways, except that it infects three .exe files when an infected file is executed. It contains the encrypted text strings "Cinco de Mayo", "No trabajas hoy.", "Bebe mas cerveza!!", "[MPC] [VCL] [Cinco de Mayo]", and "Danzig Thanks to Dark Angel and Nowhere Man for their excellent Virus creation programs! more to follow".
DataDeath is a 1,060 byte infector of .com and .exe files, including COMMAND.COM. It may infect four or five .com or .exe files with every execution, generally preferring .exe files. It contains several text strings, including "Hello I am Absolute Sector of DataDeath", "I am in your computer now… I have magic powers…", "DataDeath - Taking The World By Storm!!!", "Now your hard disk will pay for your stupidity!", "Hi to: Aristotle, Apocalypse, Vengeance, and YOU!", "Love You Joslyn", "HACKERS, VIRUSES, AND ANARCHY FOREVER…", "-Absolute Sector (DataDeath)", and "Your hard drive has now felt my magic lightning", "PS-MPC produced (with modifications of course!)"
Helmet 1.0 is 412 bytes long and infects .com files, though avoids COMMAND.COM. It infects only one file each time it is executed. It contains the text "[MPC] [HELMET 1.0] Basher IV".
Iron Hoof 1 and Iron Hoof 2 are respectively 459 and 462 bytes and infect three .exe files in the current directory or the directory above it. They contain the text strings "[Iron Hoof] Nameless One — ANARKICK SYSTEMS" (first version), "[Iron Hoof v2] Nameless One — ANARKICK SYSTEMS" (second version).
August 1993 (Groovy, Quadratic)
Groovy: is a 466 byte virus that infects two .EXE files in the current directory each time an infected file is executed. Its viral code contains the encrypted text "GRooVYGRooVYGRooVYGRooVYGRooVYGRooVY stupid biquts *.exe"
Quadratic is a 986 byte virus that will sometimes overwrite 983 bytes of the hex 00 area within COMMAND.COM or it will increase the file length by 986 bytes with the viral code being located at the end of the file. The file's date and time in the DOS disk directory will have the seconds field set to "62", similar to Vienna. The strings "Quadratic Equation" and "SD93".
September 1993 (Armana, Nirvana, 331, 338, 339, 344, 347, 352, 353, 478, 573, 598, 603, 611, Pussy, T-Rex)
Armana.564 infects two .exe files in the current directory each time an infected program is executed. Once it has run out of available .exe files, it will infect .com files.It contains the text string "rx3"bghgttggtgtffffd" in its encrypted code.
Nirvana is an 835 bytes long and infects .exe files. When executed, it infects all .exe files in the current directory, as well as the root directory of drive C:. The following text strings can be found in the virus's code: "YOU ARE DEAD. YOUR COMPUTER IS NOW EXPERIENCING NIRVANA", "IT IS DELETING ALL EXECUTABLE FILES FROM YOUR HARD DRIVE", and "This is version &% of Nirvana released in 1993".
PSMPC.331: is a 331 bytes and infects a random number of .com files in the current direcotry when executed.
PSMPC.338 infects only one .com file in the current directory. It will only infect four of them.
PSMPC.339, 344, 347, 351, 352, and 353 infect a single .com file in the current directory. They may cause system hangs.
PSMPC.478 infects two .com or .exe files with each run. It may also cause system hangs.
PSMPC.573 infects two .com or .exe files in the current directory when an infected file is executed. The virus attempts to write to the printer, and if it doesn't find one, the system may hang.
PSMPC.598 and 611 infects all .com and .exe files in the current directory when executed.
PSMPC.603 also infects all .com and .exe files in the current directory. It may cause system hangs as well as buzzing on the system speaker when an infected program is executed.
Pussy is a memory resident companion virus weighing in at 493 bytes. When executed, it takes up 4,096 bytes in memory. It infects .exe files, and creates a .com file with the same name. It may corrupt the File Allocation Table when an infected program is executed.
T-Rex is 410 bytes long on the disk and takes up about 500 bytes in memory. It infects .com files as they are executed. Infected files will hang the system when executed and boot failures will occur after COMMAND.COM is infected. Some files may return the user to the DOS prompt. It contains the text "[MPC] T-REX subcon". It appears to not work after the first generation.
October 1993 (7% Solution, Abraxas.1520)
7% Solution is a 599 byte memory resident virus infecting .com and .exe files, including COMMAND.COM. It takes up 2,048 bytes in memory. It infects .com and .exe files as they are executed. The virus body contains the encrypted text "The 7% Solution". It may corrupt system CMOS. A variant was discovered in February of 1994 that is functionally similar, with the exception of being 672 bytes long and the text string "The 7% Solution 2.0". Given a "3.0" version was discovered in December of 1993, this version may have been quietly spreading in the wild for some time. The 3.0 version is 918 bytes long and contains the text strings "The root directory of the current drive has been destroyed by the 7% Solution 3.0 virus". They appear to originate from Sweden.
Abraxas.1520 infects up to four .com files in the current directory each time an infected file is executed, and it is capable of infecting COMMAND.COM. It may cause system hangs when files are executed. It contains the text "Ich bin ein Geschenk von dem Teufel" (German, "I am a gift from the Devil").
February 1994 (No God)
No God is a 728 byte direct action infector of .com and .exe files. It infects five files in the current directory when an infected file is executed. The text strings "[NOGOD]" and "God is fake, He wouldn't let this happen." can be found in the encrypted code.
July 1994 (Mom, Powermen, Walt, Greetings)
PS-MPC.Mom is 974 bytes long and infects .com and .exe files, even COMMAND.COM. When an infected file is run, the virus infects all .exe files in the current directory. If all .exe files were previously infected, the virus will infect all .com files in the current directory. It contains some text strings of interest, including "MoM#\/# () #\/#", "You are hereby notified that your system has just encountered a very unusuall disk error. This error can be very fatal!!! "Please check your system for any further errors." and "DOS EXCEPTION ERROR #13"
PS-MPC.Powermen.717 infects .com and .exe files, including COMMAND.COM. It infects 5 .exe files on each execution until there are no uninfected .exes left, then does the same with .com files. It may cause system hangs when all .exe files are infected. It contains the text string "[MPC] [PowerMEN] PowerMEN".
PS-MPC.Walt.311 infects one .com file in the current directory each time it is execute. It contains the text strings "[SHY_KOO]" and "[Walt Whittman]".
PS-MPC.Greetings is a 1,118 byte memory resident virus that infects .com and .exe files, including COMMAND.COM. Its size in memory is 2,288 bytes. Once resident, it infects .com and .exe files as they are executed. It contains the text strings, "Admiral Bailey [YAM]", "***[ Just wanna say Wa'Sup to: ] The Carmel Massive The Jamaican Posse and Mad Cobra. Keep the FLEX alive!", and "By-The-Way John call this one "Greetings"."
December 1994 (Deathboy)
PS-MPC.DeathBoy: is 893 bytes long and infects both .com and .exe files, including COMMAND.COM. It infects one .com and one .exe file in the current directory on each execution, then hangs the system. The time in the seconds field will be set to "58", but will otherwise be unchanged from the last time the file was modified. It sets the system date to the 10th of December 1994. System hangs do not occur once all .com and .exe files have been infected. It contains the text strings "1994 virus=DeathBoy was here" and "TINYPROG says, "Patched program!"".
January 1995 (150.B, Asstral)
PS-MPC.150.B infects all .com files, incliuding COMMAND.COM when it is executed. The seconds field of the file's date and time will be set to "12", though the rest will be unchanged.
PS-MPC.Asstral is 753 bytes long and infects three .exe files each time it is executed. Itr contains the text strings "[ASStral Zeuss] MUJA DIB ASStral Zeuss sucks DICK…Goodbye HD!", "Tim Andrews talks to rocks", and "Revenge is sweet assholes".
May 1995 (Fred, Projekt, Snort)
PS-MPC.Fred is 720 bytes long and infects three .com or .exe files in the current directory when it is executed. It contains the text string "In fond memory of Fred:We'll miss you…".
PS-MPC.Projekt.897 is an 897 byte direct action infector that infects three .com or .exe files each time an infected file is executed. It contains the text string "If you can be a half-wit, so can I!" and "*.exe *.com .. US" in its viral code. there is a 918 byte version from the same month that differs only in that it contains "[ProjeKt X]" in its code.
PS-MPC.Snort becomes memory resident when executed and takes up 3,072 bytes in memory, though only 405 on the disk. It infects .com files, including COMMAND.COM as they are executed. It contains the text in its viral code "MRMSNORT MRMSNORT" and "MRMSNORT-VIRUS-EASTGERMANY". As the text indicates, it comes from Germany.
January 1997 (753)
PS-MPC.753 was the last known virus from this generator to be received.
Unknown Date
Shock.A and Shock.B are actually two completely different viruses. Shock.A is a memory resident infector of .exe files and is 620 bytes long. Shock.B is 401 bytes long and infects .com files when it is executed.
ARCV Family
ARCV or the ARCV-N series appeared in Manchester, England in October of 1992. The first three appear to have been generated by PS-MPC. Versions 1-8 are direct action infectors, while 9-10.B are memory resident. Versions 1-4 were discovered in October, 5-9 in November, while 10 and 10.B were from January and March respectively.
ARCV-1 is 826 bytes long and infects one .com or .exe file in the current directory with a preference for .exe, though avoids COMMAND.COM. It contains the text strings "Long Live The ARCV. MUFC for the League!", "(c) Apache Warrior, ARCV Pres. 92", "Welcome to the REAL World. And the ARCV 1 Virus!", and "[ARCV-1] Apache Warrior, ARCV Pres."
ARCV-2 is 692 bytes and infects .exe files. It infects one file in the current directory every time it is run. It contains the text strings "*.exe .. [ARCV-2] Apache Warrior, ARCV. Pres." , and "Help.. Help.. I`Sinking……..".
ARCV-3 is a 657 byte infector of .com files, including COMMAND.COM. It infects four with every execution. It includes the text strings "[ARCV-3] Apache Warrior.", "Yo.. I`ve Just Found a Virus.. Opps.. Sorry I`m the Virus, "Well let me introduce myself.." , "I am ARCV-3 Virus, by Apache Warrior.", "Long Live The ARCV and Whats an Hard ECU?", and "Vote Yes to the Best Vote ARCV..".
ARCV-4 is 664 bytes long and infects both .com and .exe files (giving preference to .exe) including COMMAND.COM. It infects three in the current directory. It contains the text strings "[ARCV-4] Apache Warrior, ARCV Pres.", "So Who`s the Best Then?", "Oh Well Sorry But The ARCV Are The Best!", and "Well Your in Favor with Us then."
ARCV-5 infects one .com file in the current directory, adding its 475 bytes to the end of the file. IT contains the text strings "[ARCV-5] Apache Warrior, ARCV Pres" and "SU*.COM".
ARCV-6 is quite similar to 5, with the exception of the text string "[ARCV-6] Apache *.com" and being 335 bytes long.
ARCV-7 is a 542 byte infector of .exe files, infecting one every time the virus runs. The text string "[ARCV-7] Apache ARCV. *.exe" can be found in the encrypted code.
ARCV-8 is 679 and infects one .exe file every time it is run. It contains the text strings "Naughty, Naughty… ARCV Productions Ltd." and "[ARCV-8] *.exe"
ARCV-9 is a memory resident infector of .com files. IT is 745 bytes long, 2,048 bytes in memory and infects .com files as they are executed. It contains the text "[ARCV-9] Apache Warrior. *.com".
ARCV-10 is an 827 byte memory resident infector of both .com and .exe files, including COMMAND.COM. IT will take up 1,648 bytes in memory. It will produce write protect errors when the user executes a file from a write-protected disk. It will display the message "Well its finally here The -= ARCV =-" Welcome To our New Members……….". It contains the encrypted text "[ARCV-10]" and "Apache Warrior". It has a variant, ARCV-10B that is functionally similar but altered to avoid detection by security products that could detect the virus.
G2 Family
G2 is a modified version of the PS-MPC generator with some changes to the encryption mechanism. Most were made in August of 1993, but this generator saw use as late as 1995.
G2-A429 is 429 bytes long and infects a variable number of .com files in the current directory every time it is run, though avoids COMMAND.COM. It contains the text "[PS/G???] Testing [G2 A] *.COM ..". After a few runs, .exe files may seem to disappear.
G2-A438 is a 438 byte memory resident infector of .exe files. It takes up 2,480 bytes in memory. It includes the text string "[PS/G???] Testing [G2 A2]".
G2-A615 is a 615 byte direct action infector of all .com and .exe files in the current directory and will infect COMMAND.COM. Execution of infected programs may cause system hangs
G2-Celeste is a direct action infector of .com files that avoids COMMAND.COM. It infects up to 5 files in the current directory, adding 310 bytes to the end of the file. It contains the text string "[PS/G???] Straylight ][ Celeste Virus A *.COM .."
G2-D598 is a memory resident infector of .com and .exe files, including COMMAND.COM. It is 598 bytes on the disk and 9,984 bytes in memory. It contains the text "[PS/G???] Captain [G2 D]".
G2-E513 is a 513 byte long direct action infector of .exe files. It infects up to five files on every execution. It contains the text string "[PS/G???] Captain [G2 E] *.EXE ..".
G2-Mudshark infects one .com file in the current directory each time an infected file is executed. It is 314 bytes long and contains the text string "[PS/G???] pentagrame mudshark *.COM ..".
G2.Punisher is a memory resident infector of .com and .exe files. It is 602 bytes long and about 1,200 bytes in memory. It contains the encrypted text "[PS/G???] Punisher Death Destruction Mayhem". It was discovered in February of 1994.
G2.Puppet, discovered in May of 1995 is a memory resident infector of .com files found in May of 1995. It is 478 bytes on the disk and 1,088 bytes in memory. The following strings can be found in its code: "[PS/G???] eMpIrE-X" and "[G??? Puppet Masters 1 Virus]"
Sources
Dark Angel. 40Hex Magazine, Number 8 Volume 2 Issue 4, PS-MPC. 30-JUL-1992
Patricia Hoffman. Online VSUM, PS-MPC Virus.
Patricia Hoffman. Online VSUM, ARCV-n Virus.
Patricia Hoffman. Online VSUM, G2 Virus.
Patricia Hoffman. Online VSUM, Joshua Virus.
Patricia Hoffman. Online VSUM, Shock Therapy Virus.
Patricia Hoffman. Online VSUM, Warez-1341 virus.
Peter Szor. The Art of Computer Virus Research and Defense, pg 290. Addison Wesley, Pearson Education, Symantec Press: 2005. ISBN 0-321-30454-3
Mikko Hyppponen. F-Secure, PS-MPC.