Mummy | |
---|---|
Type | File virus |
Creator | Qark |
Date Discovered | 1994.11 |
Place of Origin | Australia |
Source Language | Assembly |
Platform | DOS |
File Type(s) | .com, .exe |
Infection Length | 1,206 bytes |
Republic was a memory-resident MS-DOS .COM and .EXE encrypted stealth infecter, including COMMAND.COM. It appeared in Issue 2 of VLAD Magazine in November of 1994. Republic shared many features in common with the VLAD virus which appeared in the same issue of the magazine.
Behavior
Republic's infection schemes, memory-residence, CPU prefetch trick, use of SFT entries and infection marker are all near identical to Vlad's. The viruses both use INT 21h AH=60h to create an upper-case full pathname for the victim and share the same FCB/ASCII FindFirst/FindNext size stealth. The encryption of Republic seems to be mainly aimed at evading TBSCAN (Thunder-Byte Anti-Virus). The virus implements a 'stealth' scheme: Files are disinfected on 'open' calls and infected on 'close', chmod, exec and rename. Republic includes the text strings:
Go the Republic! Fuck off Royal Family!
Qark/VLAD of the Republic of Australia
Variants
There is a 1,216 byte variant of this virus that is functionally similar to the original. It is unclear whether this is the work of Qark or someone who used the source code.
Sources
Original research by JPanic aka @JPanicVX