Mururoa.A, Mururoa.B, Mururoa.C

This is a resident, polymorphic, parasitic COM and EXE infector. It contains a two-phase decryptor. The virus avoids programs containing one of the following strings AVG, FV386, TURBO, FV86, GUARD, TOOLKIT, SCAN, VIRLAB, VIR, ASTA, VC, SSWAP, DEBUG, TD, STACKER, ALIK, REX, MSAV, CPAV, NOD, CLEAN, F-PRO, TBAV, TBDRIVER, TBCLEAN, TBSCAN, AVAST, NAV, VSHIE, DIZZ, COMMAND and VSAFE in their name. You might be interested in the fact that the method of finding out whether the names of files being attacked do not contain the abovementioned strings is almost completely copied from the SVL family of viruses. This virus detects its presence in memory by calling INT21h with the value 6666h in the register AX; as an response it expects the number 1977 (hex). On the 4th day in a month the virus writes:

I have one mesage to all people on earth :
Stop all French nuclear testing in the PACIFIC
Dont forgot :Comon people dont like nuc. tests!
This is is a MURUROA 1.386 by Blesk
My greet to VYVOJAR,SVL,METABOLIS and all IRC.


So it seems that the family Mururoa is coming to an end as the virus itself indicates by the name “Mururoa_End”. It still is a memory resident, polymorphic, parasitic COM infector 3449 bytes long. When compared to the previous variants there are rather considerable changes in many parts of the virus body. The author obviously attempted for an “anti-heuristic” decryptor code. Also the text being written by the virus before each file execution on the 4th, 8th and 14th day in a month is quite different:

I have one mesage to all people on earth :
All French nuc. test`s was STOPED. But MURUROA IS DEAD !!!!!
I am a coder of HELL FIRE and I BRING YOU >>>>>> FIRE <<<<<< By Blesk/SVL
NOTE: Name of this virus is [MURUROA_END]
By Blesk from Slovak Virus Laboratories at .SK
Real name of BOZA is BIZATCH.. STUPID A-VERS !!!

It seems that the viruses Mururoa.A, Mururoa.B and Mururoa.C tried to fight for a good thing - for termination of French nuclear tests. The author oh the viruses is Blesk/SVL.

