| Alias: | |
| Strain: | Murphy Virus Strain |
| detected when: | April, 1990 |
| where: | Sofia, Bulgaria |
| Classification: | Program virus, indirect action |
| Length: | 1521 bytes added to EXE and COM files. |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 3.xx and upward |
| Computer model(s): | IBM-PC's and compatibles |
| Caroname: | Murphy.Murphy.1521 |
Attributes | |
| Easy identification: | The virus contains the string: "It's me - Murphy. Copywrite (c)1989 by Lubo & Ian, Sofia, USM Laboratory." See also damage. |
Type of Infection: | Murphy is a program virus that appends itself to any COM or EXE file larger than 1521 bytes. COM files must be smaller than 63982 bytes. A file is judged as infected if the length between program entry and end of file is the same as the virus length. The virus also locates the original INT 13 handler and unhooks any other routines that have been hooked onto this interrupt and restores the interrupt to the original handler. Murphy installs itself into memory by modifying the MCB chain. It determines whether it is already in memory by executing INT 21 function 4B59h. If the carry flag is not set on return, then the memory is assumed to be not infected. |
| Infection Technique: | |
| Infection Trigger: | Infects file on execution and opening. |
| Storage Media affected: | Any logical drive. |
| Interrupts hooked: | INT 21 functions 4B, 3D00, 6C00 (bl=0) are used to infect files, and INT 24 and 13 are captured to mask out errors. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | A ball (character 07) bounces over the screen. |
| Damage Trigger: | This happens if the virus is active between 10:00 and 11:00 (AM). |
| Particularities: | INT 21 function 6C00 is the DOS 4.xx extended open/create function. This makes Murphy (1/2) one of the first viruses to make use of DOS 4.xx The virus knocks out the transient part of COMMAND.COM forcing it to be reloaded and thereby infected. |
| Similarities: | This virus was derived from Murphy-1. The code has been cleaned up a bit, but the main difference is in the damage. Much of the code was taken from Eddie-1 /Dark Avenger. The bouncing ball effect looks very much like the Italian-virus, but the code shows no similarities. |
Agents | |
| Countermeasures: | Checksumming programs will detect the virus, but have the side-effect of infecting every file on the disk if the virus is in memory.F-DLOCK in Fridrik Skulason's F-PROT package prevents files from being infected. (It was loaded before the virus was.) - ditto - successful.. --- |
| Standard means: | --- |
Acknowledgements | |
| Location: | Virus Test Center, University of Hamburg |
| Classification by: | Morton Swimmer. The source listing came from Lubomir Mateev, |
| Documentation by: | Morton Swimmer |
| Date: | 12-June-1990 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg