Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically



This is a non-resident direct action COM and EXE infector. It is 1554 bytes long. It infects files with length of minimum 300 bytes and maximum 63712 bytes (COM) or 384 kilobytes (EXE). It marks the already infected files by a combination of the time of the file origin. When infecting the virus temporarily renames the victim: it uses the same filename but with the extension “.M03”. It avoids programs starting with: AVG, AVP, CLEAN, GUARD, IV, NAV, NOD, SCAN, TB, VIRSTOP, WEB and HIEW. It deletes files ANTI-VIR.DAT, AVP.CRC, CHKLIST.CPS, CHKLIST.MS, IVB.NTZ and SMARTCHK.CPS. It contains the text:

Virus Malatinec v0.3 Note: this is evolutionary (beta) version only. Be Happy!

Malatinec.2367, Malatinec.2396

These are memory resident COM and EXE infectors attacking suitable files when they are being executed. When infecting the virus temporarily renames the victim: it uses the same filename but with the extension “.M04”. Both these viruses do not attack programs with names starting with one of the following strings: COMMAND, ADINF, AVG, AVP, CLEAN, DRWEB, F-, FINDVIRU, FV, GUARD, IBMAVS, IV, NAV, NOD, SCAN, TB, TOOLKIT, VIRSTOP, VIVERIFY, WEB, HIEW. Both these viruses delete files of check sums in some of the anti-virus programs: ANTI-VIR.DAT, AVP.CRC, CHKLIST.CPS, CHKLIST.MS, CHKLIST.TAV, FINGERP.VVF, FSIZES.QCV, IVB.NTZ, NAV_._NO, SMARTCHK.CPS, _CHK.CHK.

in addition does not attack files starting with the strings DOS4GW and KRNL and it deletes also the file AVG.GRS created by the anti-virus program AVG. The viruses contain the following text:

Virus Malatinec v.0.4d created by Aladiah Greet: all my friends in Slovakia; G722,E10,H723,H118 & all H4?? (sch.yr.95/96) & of coz i send a big fuck 2 big boxer V.M. Note: this is last evolutionary (?) version. Don't Worry! Watch out DOS4GW, KRNL


This is an encrypted, memory resident COM and EXE infector with implemented semi-stealth technology. The virus has three simple cyclic decryptors; the second one is a part of the interrupt INT 1Ch service and the third one is a part of the interrupt INT 1 service and executes itself in the “single step” regime of the processor. The virus code is written so as to prevent detection of the virus by means of anti-virus programs and to prevent its analysis. After its installation the virus services the interrupt INT 21h. It conceals the increase in the files length and when programs are executed it attacks them. Substantial part of the virus is encrypted in the memory and gets decrypted only when it is necessary. If at the instant when a file is run the number of hours, minutes and seconds equal and the year is higher than 1998 the virus presents itself by means of a funny message on the screen. Then it waits for a keystroke. The virus chooses randomly from the following sentences:

Ked sa budes dobre ucit, dcerenka, stanes sa manekynkou.
Don't dread! I'm friendly ghost :)
Critical Error - Use (MC) Hammer.
REALITY.SYS corrupted - reboot Universe ? [Y,n]
I'm INside. (what's about your heuristic?)
Memory failed. Use paper.
Attention. High voltage on keyboard!
Prosím Vás, Zastavte HZDS !

Before the year 19998 texts are displayed only in case that not only the abovementioned conditions are met but in addition the number of hours equals the number of hundredths of seconds at the time of a program execution. The virus does not attack programs which are run if the data about the system time are equal to the time of infection of the file from which the virus was installed into the memory. The virus tries to deactivate resident system protections TBAV, NOHARD, NOFLOPPY and VSAFE, DISKMON and one more unidentified utility from the Norton Utilities package. It avoids attacking the programmes with names starting with strings: COMMAND, AFD, CHKDSK, DOS4G, HIEW, KRNL, SCANDISK, WIN, ADINF, AIDS, ANTI, AST, AUTHOR, AVAST, AVG, AVP, AVSCAN, BAIT, CERT, CLEAN, CPAV, CRC, DRWEB, F-, FINDVIR, FV86, FV386, GOAT,GUARD, IBMAV, ICE, IV, MKS, MSAV, NAV, NOD, PAS, QCV, QMS, SCAN, TB, TKUTIL, TOOLKIT, V-, VAC, VDS, VIR, VIVERIFY, PCSCAN, WEB, ADINF. It deletes also files with check sums with names ANTI-VIR.DAT, AVG.GRS, AVP.CRC, CHKLIST.CPS, CHKLIST.MS, CHKLIST.TAV, CRCHECK.TXT, FINGERP.VVF, FSIZES.QCV, ICE_?.CRC, IM.PRM, IVB.NTZ, MSAV.CHK, NAV_._NO, NODEX_?.DAT, SMARTCHK.CPS.
In addition the virus contains the following text string in hackers slang:

[Malatinec] by Aladiah (C) 4/97 Hey man, what are you looking for ?!

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.