Republic
Mummy
Type File virus
Creator Qark
Date Discovered 1994.11
Place of Origin Australia
Source Language Assembly
Platform DOS
File Type(s) .com, .exe
Infection Length 1,206 bytes

Republic was a memory-resident MS-DOS .COM and .EXE encrypted stealth infecter, including COMMAND.COM. It appeared in Issue 2 of VLAD Magazine in November of 1994. Republic shared many features in common with the VLAD virus which appeared in the same issue of the magazine.

Behavior

Republic's infection schemes, memory-residence, CPU prefetch trick, use of SFT entries and infection marker are all near identical to Vlad's. The viruses both use INT 21h AH=60h to create an upper-case full pathname for the victim and share the same FCB/ASCII FindFirst/FindNext size stealth. The encryption of Republic seems to be mainly aimed at evading TBSCAN (Thunder-Byte Anti-Virus). The virus implements a 'stealth' scheme: Files are disinfected on 'open' calls and infected on 'close', chmod, exec and rename. Republic includes the text strings:

Go the Republic! Fuck off Royal Family!
Qark/VLAD of the Republic of Australia

Variants

There is a 1,216 byte variant of this virus that is functionally similar to the original. It is unclear whether this is the work of Qark or someone who used the source code.

Sources

Original research by JPanic aka @JPanicVX

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License