The Murphy viruses

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  Vesselin Bontchev reported in May 1990:



  The Murphy viruses.

  ==================


  The first of them appeared few weeks ago. It infects both .COM and

  .EXE files, is memory resident, non-destructive and infects files

  both when one executes or just copies them.  Its infective length is

  1277 bytes. To be infected, the files have to be greater than the

  infective length.  A closer look revealed that:  - The most

  important parts of the virus were directly got from the Dark Avenger

  virus. These include the installation in memory, the controllers'

  ROM scan, the way files are infected.


  - This is the first virus, which not only supports PC-DOS version

  4.0 (for instance V2000 does this), but also uses it.  It infects

  files also when the function 6C00h (extended open/create) is

  executed.


  - If the virus is loaded in memory between 10 and 11 a.m., the

  computer's speaker is turned on and is reset on every DOS function

  call. This emits a strange "shuffling" noise - one can almost hear

  how the computer "thinks".


  - The virus contains the message " Hello, I'm Murphy.  Nice to meet

  you friend. I'm written since Nov/Dec.  Copywrite (c)1989 by Lubo &

  Ian, Sofia, USM Laboratory. ".  This message is never displayed.

  The "USM Laboratory" is non-existent.  "Lubo & Ian" do exist

  however.  More about this later.


  - The virus does not infect .COM files, greater than 64226 bytes.

  However, files greater than 64003 bytes refuse to run when infected.


  - File type (.EXE vs. .COM) is determined both by the file extension

  and by the file's first two bytes. The check is made only for `MZ',

  not for `ZM'.


  - Since it is able to find the original INT 13h handler (via the ROM

  scan - as the Dark Avenger virus does), the virus cannot be stopped

  by a TSR which only hooks the INT 13h vector.  It can be detected

  however, by programs such as FluShot+, which look also for the

  Open-with-write-access function (AX=3D02h; INT 21h).


  - The virus infects the command interpreter as soon as an infected

  program is run. This is done in the same manner as in the Dark

  Avenger virus.


  - The virus has its own critical error handler.  A few days ago, a

  young man came to me and said that he has a new virus, that cannot

  be stopped by a memory resident program.  Since I received lots of

  reports for new viruses in the last month (see the descriptions

  above) and since most of the Bulgarian viruses use to circumvent the

  memory resident protection programs, I was not very surprised.  I

  asked him about the main symptoms of the virus


  - what does it infect (files/boot sectors), infective length, how

  does it show itself (messages displayed, tunes played), does it

  contain some strings and so on. He said that the virus contains a

  message in which it names itself Murphy. "Oh, yes," I said, "I

  already know this one. It's rather common".  "It's impossible that

  you already know it", replied the young man, "I created it yesterday

  and have not released it yet!"


  It turned out that he spoked about a new version of the Murphy

  virus. He was very surprised that an early version of his virus has

  escaped and spread all over the country. He thought a bit, then he

  said: "Oh, yes, now I remember. A few months ago all my diskettes

  were stolen. Between them was the diskette, containing the virus".

  Some jerks are *really* irresponsible!!!


  What to do with such types?! It's impossible to prosecute them - we

  do not have the appropriate laws (and his virus was even not

  destructive). The old good physical punishment comes in mind, but

  I'm against violence. Besides, he looked so naive - he even didn't

  realized that his virus is able to circumvent only the INT 13h

  monitors. And this kind of virus writers is the most boring and

  dangerous one.  With the "genial" virus writers (e.g., the author of

  the Number of the Beast) one can at least expect that if he gives

  them some interesting work, pays them well and so on, they will use

  their skills for something useful instead of creating viruses.  But

  the "apprentices" like the one I met are even not skilled enough to

  create their own virus - they steal the main ideas form someone else

  or just modify an existing virus.  They consider creating a virus as

  some kind of sport, as a way to proof themselves that they are

  SOMETHING...


  Anyway, the new version of the Murphy virus (I call it Murphy-2) has

  infective length of 1521 bytes. All the other properties are the

  same, except the damage function. Now every exact hour the virus

  jumps to the ROM Basic interpreter - since (as the author of the

  virus says) "everyone ought to learn Basic".  This may cause loss of

  data, if you are editing a large document and have not saved your

  changes.  Also, the message in the virus has shorten a bit.  Now it

  reads " It's me - Murphy.  Copywrite (c)1990 by Lubo & Ian, Sofia,

  USM Laboratory.  " There is also a minor change in the way the virus

  checks if it is already present in memory.  Murphy-1 uses function

  4B59h and Murphy-2 uses function 4B4Dh of INT 21h.


  As I already said above, the "USM Laboratory" is non-existent.

  "Lubo & Ian" stays for Lubomir Mateev Mateev, Sofia, ul.

  "Budapeshta" 14, tel. 80-28-26 and for Iani Lubomirov Brankov,

  Mihailovgrad, ul. "G. Damianov" 6, tel.  2-13-34 respectively.  At

  least, these names, addresses and phones are written in the source

  listing of Murphy-2, which I received from one of the authors

  (Lubomir Mateev, more exactly).



===== Computer Virus Catalog 1.2: "Murphy-1" Virus (12-June-1990) ====

Entry.................. "Murphy-1" Virus

Alias(es).............. ---

Strain................. Murphy Virus Strain

Detected: when......... December, 1989

          where........ Sofia, Bulgaria

Classification......... Program virus, indirect action

Length of Virus........ 1277 bytes added to EXE and COM files.

------------------------ Preconditions -------------------------------

Operating System(s).... MS-DOS

Version/Release........ 3.xx and upward

Computer models........ IBM-PC's and compatibles

-------------------------- Attributes---------------------------------

Easy identification.... The virus contains the string:

                           "Hello, I'm Murphy. Nice to meet you

                           friend. I'm written since Nov/Dec.

                           Copywrite (c)1989 by Lubo & Ian, Sofia,

                           USM Laboratory." See also damage.

Type of infection...... Murphy is a program virus that appends itself

                           to any COM or EXE file larger than

                           1277 bytes. COM files must be smaller than

                           64226 bytes, however if a COM file larger

                           than 64003 is infected, it will not run.

                           A file is judged as infected if the length

                           between program entry and end of file is

                           the same as the virus length.

                           The virus also locates the original INT 13

                           handler and unhooks any other routines

                           that have been hooked onto this interrupt

                           and restores the interrupt to the original

                           handler.

                           Murphy installs itself into memory by

                           modifying the MCB chain. It determines

                           whether it is already in memory by

                           executing INT 21 function 4B59h. If the

                           carry flag is not set on return, then the

                           memory is assumed to be not infected.

Infection trigger...... Infects file on execution and opening.

Media affected......... Any logical drive.

Interrupts hooked...... INT 21 functions 4B, 3D00, 6C00 (bl=0) are

                           used to infect files, and INT 24 and 13

                           are captured to mask out errors.

Damage................. The speaker is turned on and off which

                           produces a clicking noise.

Damage trigger......... This happens between 10:00 and 11:00 (AM).

Particularities........ INT 21 function 6C00 is the DOS 4.xx

                           extended open/create function. This makes

                           Murphy-1 one of the first viruses to make

                           use of DOS 4.xx

                           The virus knocks out the transient part of

                           COMMAND.COM forcing it to be reloaded and

                           thereby infected.

Similarities........... Much of the code was taken from Eddie-1

                           /Dark Avenger.

                           This is the precursor to Murphy-2.

---------------------------- Agents ----------------------------------

Countermeasures........ Checksumming programs will detect the virus,

                           but have the side-effect of infecting

                           every file on the disk if the virus is in

                           memory. F-DLOCK in Fridrik Skulason's

                           F-PROT package prevents files from being

                           infected.


 - ditto - successful.. ---

Standard Means......... ---

----------------------- Acknowledgements -----------------------------

Location............... Bulgarian Academy of Science and

                        University of Hamburg, Virus Test Center

Classification by...... Morton Swimmer

Documentation by....... Vesselin Bontchev

Date................... 12-June-1990

Information source..... ---



======================= End of "Murphy 1" Virus ======================



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live from the Mayflower Theatre, Southampton".] Vox Pop 1:  So I'm hoping that this is a lot ruder than the TV, because             they can get away with it. [Cut to Ade's dressing-room door. It opens to reveal a clothes rail, its only contents a brown jacket.] Vox Pop 2:  I just think they're ace, you know, absolutely excellent. [Cut to dressing-gown, pan across a pair of glasses and a revolver.] Vox Pop 3:  It couldn't be too rude, I mean that's what young people want. [Rik's dressing-room door.]
Read more

Fawlty Towers script for "A Touch of Class"

Fawlty Towers A Touch of Class Written by John Cleese and Connie Booth First of first series, first broadcast on September 19, 1975 on BBC2 Transcribed by Jason R. Heimbaugh (jrh@uiuc.edu) on October 10, 1993 Basil Fawlty  John Cleese Sybil Fawlty  Prunella Scales Manuel        Andrew Sachs Polly         Connie Booth Major Gowen   Ballard Berkeley Miss Tibbs    Gilly Flower Miss Gatsby   Renee Roberts Lord Melbury  Michael Gwynn Danny Brown   Robin Ellis Sir Richard   Morris Martin Wyldeck Mr Watson     Lionel Wheeler Mr Wareing    Terence Conoley Mr Mackenzie  David Simeon               [The Fawlty Towers reception lobby. The main entrance is at the               back, with the stairs to the right. The entrance to the dining               room is in the right wall; on the left, the reception desk               running along the left wall, with the entrance to the office               behind it. The entrance to the bar is beyond the desk.] Basil         [on th
Read more