MIX1 Virus

Alias:	Mixer1
Strain:
detected when:	August 22, 1989
where:	BBSs in Israel
Classification:	Program virus (.EXE files) - Extending, RAM-resident.
Length:	1. Infected .EXE files enlarged by 1618-1634 bytes (depends on the original file size). 2. 2048 bytes in RAM.
Preconditions
Operating System(s):
Version/Release:	2.0 or later.
Computer model(s):	IBM-PC, XT, AT and compatibles
Caroname:	Icelandic.1618.A
Attributes
Easy identification:	1. "MIX1" are the last 4 bytes of the infected file. 2. In DEBUG to check byte 0:33C. If this equals 77h, then the virus is in memory.
Type of Infection:	System: Infected if byte 0:33C equals 77h. .EXE files: Only files which do not have a signature at their end are infected. File length is increased by 1618 - 1634 bytes.
Infection Technique:
Infection Trigger:	When executing/load .EXE files through interrupt 21h service 4bh.
Storage Media affected:
Interrupts hooked:	21h, 14h, 17h, optionally 8,9 (after 6th level of infection).
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:	Garbled output on parallel and serial connec- tions, after 6th level of infection boot will crash the system (a bug), num-lock is constantly on, a ball will start boun- cing.
Damage Trigger:	After executing and infected file is executed
Particularities:	1. Booting may crash the computer (possibly a bug). 2. Memory allocation is done through direct MCB control. 3. Does not allocate stack, and therefore makes some files unusable. 4. Infects only files which are bigger than 8K.
Similarities:
Agents
Countermeasures:	Virus Buster will locate the virus and upon request, will remove it.
Standard means:	Check byte 0:33C (cf: Easy identifications).
Acknowledgements
Location:
Classification by:	Yuval Tal (NYYUVAL@WEIZMANN.BITNET), Ori Berger
Documentation by:	Yuval Tal (NYYUVAL@WEIZMANN.BITNET), Ori Berger
Date:	December 19, 1989
Information Source:

MIX1 Virus

Preconditions

Attributes

Agents

Acknowledgements