| Alias: | Music Virus |
| Strain: | |
| detected when: | February 1989 |
| where: | |
| Classification: | Program Virus (extending), Direct Action, RAM-resident |
| Length: | COM-files: length increased by 2756-2806 Byte, always divisable by 51. |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx upward |
| Computer model(s): | IBM-PC, XT, AT and compatibles |
| Caroname: | Oropax |
Attributes | |
| Easy identification: | Typical texts in Virus body (readable with HexDump facilities): "????????COM" and "COMMAND.COM" |
Type of Infection: | System: RAM-resident, infected if function 33E0h of interrupt 21h returns 33E0h in AX-register. .COM File: extending by using FindFirst/FindNext- function in the home directory until a COM File is encountered with a different Attribute than N or A. Files are only infected once. The following .COM-files will not be infected: - COMMAND.COM, - COM files with length divisible by 51, - COM file with an attribute other than N or A, - COM files longer than 61980 Bytes. .EXE File: no infection. |
| Infection Technique: | |
| Infection Trigger: | When any of the following INT 21h functions: 39h, 3Ah, 3Ch, 3D01h, 41h, 43h, 46h, 13h, 16h, or 17h are called; these functions are also used by other resident DOS commands, e.g. MD, RD, DEL, REN, and COPY. |
| Storage Media affected: | |
| Interrupts hooked: | INT08h, INT20h, INT21h, INT27h |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient Damage: After 5 minutes, the virus will start to play three melodies repeatly with a 7 minute interval in between. This can only be stopped with a reset. OROPAX and earcaps can be used to avoid "music overload". |
| Damage Trigger: | Using a random number generator, the virus decides whether to become active. |
| Particularities: | |
| Similarities: | |
Agents | |
| Countermeasures: | ANTIORO.EXE finds and restores infected programs (only for OROPAX). |
| Standard means: | notice .COM file length |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Thomas Lippke |
| Documentation by: | Morton Swimmer |
| Date: | July 15, 1989 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg