| Alias: | |
| Strain: | MMIR strain |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, Other!??? , resident |
| Length: | 421 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | MMIR.Ravage |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec in memory: [0:265] = 0240H Selfrec on disk: File[1,2] = FileLength-3-VirusLength { i.e. if JMPoffset corresponds tothat of an infected file } |
| Infection Technique: | |
| Infection Trigger: | Exec or Open and FileLength>=24 |
| Storage Media affected: | |
| Interrupts hooked: | 21/4B00, 21/3D00, 21/3E00, 21/6C00 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: - Permanent: - |
| Damage Trigger: | Transient: - Permanent: - |
| Particularities: | The virus resides in the interrupt vector table. The virus resides at the memory address: 0:240 Data files corrupted - the virus by mistake infectsdata files being opened as if they are COM or EXE files.Segmented EXE files (self-extracting archives etc.)corrupted.Too long COM files will be corrupted when infected.When the virus is memory resident, usage of INT 90through INT DD may cause system crashes.Running a program from a write-protected floppymay cause "Write protect" DOS error message.Attempt to COPY or TYPE a file under MS-DOS 5.0results in system hanging. Not displayed text: "RAVAGE! (c) Metal Militia / Immortal Riot" The virus infects files being opened (INT 21/3D00),but does not check their extensions, resultingin "infecting" data files also.The virus intercepts also Close (21/3E00) andExtended Open (21/6C00) but treats them erroniously.This results in hanging the system under MS-DOS 5.0 -seems, COMMAND.COM 5.0 uses INT 21/6C to COPY/TYPE. |
| Similarities: | MMIR.Extasy, MMIR.Das_Boot |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Dmitry O. Gryaznov |
| Documentation by: | Dmitry O. Gryaznov |
| Date: | 1993-12-10 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg