Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win95/Marburg

This is a non-resident virus. Its author is Griyo from the 29A group. In the code of this virus several technologies from other viruses of this group are used. After the virus is executed it tries to infect the applications with extensions EXE and SCR in the WINDOWS directory including the subdirectory SYSTEM. It avoids files starting with strings “PAND“, “F-PR“ and “SCAN“. If files “CHKLIST.MS“, “AVP.CRC“ and “IVB.NTZ” are found in the abovementioned directories the virus deletes them. It marks already infected files by levelling their length. The virus infects files as follows: it does not alter the entry point value but it alters the code present on its place. The virus is polymorphic; it is one of the first polymorphic viruses for Windows. The part of the code responsible for polymorphism executes also so called slow mutation. It means that character of generated decrytpors is being altered with time. The virus treats potential errors at infection and gets activated three months after the infection. If you run the infected application at the same hour as it was infected a white cross in a red circle will be displayed on a random place of the screen.
The virus Marburg exists worldwide as the author located it into the utility NukeLab enabling to “kick off“ an unwanted person from the IRC channel. The virus was also found on several CD ROMs produced by publishers of magazines containing games.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.