Mirror Virus

Alias:Flip Clone Virus
Strain:
detected when:18-December-1990 (when VTC received virus code)
where:Hamburg, Germany
Classification:Program Virus, indirect action, postfix
Length:File: either 925 or 933 bytes RAM: 928 bytes

Preconditions

Operating System(s):MS/PC-DOS
Version/Release:
Computer model(s):All IBM PC compatibles.
Caroname:Mirror

Attributes

Easy identification:---

Type of Infection:

Program virus that only infects files with the extension EXE. The virus loads itself into RAM and hooks various INT 21h functions. When one of these are called, the virus will search the current directory for EXE files to infect. The virus will be located behind the host program. A generation counter is incremented whenever an infected file is run again.

Infection Technique:
Infection Trigger:Any time an infected file is run.
Storage Media affected:Any logical disks.
Interrupts hooked:INT 21h Functions 0fh,16h,3ch,3dh,4b00h,4b03h
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent damage: --- Transient Damage: when triggered, the screen will flip horizontally character for character, but not as sophisticatedly as Flip virus.
Damage Trigger:If a program is run with a generation counter of 10, a routine will be installed with INT 1ch pointing to it. After approximately 10 minutes, the damage will trigger.
Particularities:There are a number of possible design bugs in the virus, that may cause unpredictable behaviour.
Similarities:Although having a similar damage to Flip, this is a completely different virus.

Agents

Countermeasures:--- - ditto - successful. McAfee's Scan version 72
Standard means:---

Acknowledgements

Location:Virus Test Center, University Hamburg, Germany
Classification by:Morton Swimmer
Documentation by:Morton Swimmer
Date:12-February-1991
Information Source:

(c) 1996 Virus-Test-Center, University of Hamburg