| Alias: | |
| Strain: | MtE-based |
| detected when: | USA |
| where: | June 1992 |
| Classification: | Polymorphic, memory-resident program (COM and EXE, appending |
| Length: | 1. In RAM: 140 paragraphs; 2. on file: variable on disk due to MtE. |
Preconditions | |
| Operating System(s): | MS/PC DOS |
| Version/Release: | 3.0+ ??? |
| Computer model(s): | All 80x86-based PCs |
| Caroname: | MtE.Groove |
Attributes | |
| Easy identification: | Programs stop running as expected if at all. |
Type of Infection: | COM & EXE programs (not based on extension) |
| Infection Technique: | |
| Infection Trigger: | Execution using INT 21h function 4B. |
| Storage Media affected: | All (diskettes,,hard disk) |
| Interrupts hooked: | INT 21h, INT 24h |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient damage: the following message will either be displayed after 12:30 midnight based on the tick count returned by INT 1Ah on systems with a RTC, or it is displayed every time when a file is infected: "Dont wory, you are not alone at this hour... This Virus is NOT dedicated to Sara its dedicated to her Groove (...Thats my name) This virus is only a test virus therefore be ready for my Next Test .." This message is not readable in most mutations due to encryption. Permanent damage: Virus will delete the following files upon activation: C:\NAV_._NO C:\NOVIRCVR.CTS C:\NOVIPERF.DAT C:\CPAV\CHKLIST.CPS C:\TOOLKIT\FILES.LST C:\UNTOUCH\UT.UT1 C:\UNTOUCH\UT.UT2 |
| Damage Trigger: | Execution of an infected file |
| Particularities: | Virus does not check file extension to determine its type, but rather checks for "MZ" or "ZM" at the start of a file and assumes EXE-type if a match is found; otherwise, it infects as a COM-type file. Infected files will not run properly. |
| Similarities: | --- |
Agents | |
| Countermeasures: | Same as above, but all antivirals that can detect MtE-based viruses 100% of the time should be effective. |
| Standard means: | Delete infected files and restore clean copies. |
Acknowledgements | |
| Location: | Baltimore, MD, U.S.A. |
| Classification by: | Tarkan Yetiser, VDS Advanced Research Group |
| Documentation by: | Tarkan Yetiser |
| Date: | 29-June-1992 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg