Details
Markiz.2620

This is a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h, then it infects COM and EXE files. The virus contains the text strings:
[-DEDiCA+ED-Ï0-MARKiZ-]
This virus writes itself to the beginning of COM files and to the end of EXE files that are accessed with DOS functions FindFirst/Next ASCII (AH=4Eh,4Fh). These functions are performed by DOS while executing a file from the command line, and the virus infects that file at that moment. The virus checks the file name before infecting, and does not infect the file if there are any of the following strings found at the beginning of a file name:
ADIN AID ANT DRW FIND MSA NAV VSA WEB

With a probability of 1/256 while executing the FO?MA*.EX* files (FORMAT.EXE), the virus renames them to *.?d? (’d’ - 229 ASCII).
In February and October, some time after installation, the virus displays messages, and manifests itself with video and sound effects.

Details
Markiz.1972

This is a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h, then it infects COM and EXE files. The virus contains the text strings:
MARKIZ-4/³1995 [note displayed in HTML version)

This virus uses a quite complex method of infecting files: it encrypts and writes itself to the end of the file, then writes the decryption loop and jump-to-virus instruction to the file middle at the calling address to INT 21h code, which is performed as the first one when the file is executing. While infecting, the virus does not modify the file beginning (except Module Length fields in EXE header):
Not infected file Infected file
+—————+ +—————+
?all ? ?… ?
?—————? ?—————?
?call to INT 21h? ?decryption loop?
?—————? ?JMP Virus ?—
?… ? ?—————? ?
?… ? ?… ? ?
+—————+ ?—————?<–
?virus ?
? ?
+—————+

To fulfill this method, the virus intercepts all INT 21h functions. When any file is being executed (AX=4B00h), the virus turns itself to “infection mode”, and returns control to the original INT 21h handler. DOS loads the file into the system memory, and passes control to the file’s code. Usually the programs call different INT 21h functions, and the virus intercepts the first of such calls, gets the address of the code that performs it, calculates the offset of that code in the file, and writes its decryption routine and JMP_Virus code to the file at that address.
The virus checks the file to prevent infection of packed files and the verwriting of relocated addresses in EXE files. To do this, the virus compares the code in the memory with the code in the file before overwriting. If these codes are different, the virus does not infect the file.
To detect the termination of the program and turn off the “infection mode,” the virus also hooks INT 20h and 27h. This is necessary if the file does not perform any INT 21h calls while working.

Details
Mark13.782

It is a dangerous memory resident parasitic virus. It hooks INT 21h and on disk access calls searches for *.COM files and writes itself to the end of the file. While installing into the system memory the virus copies its code to the address 9000:0100 without fixing memory allocation blocks, that can halt the system.
The virus contains the text:
MARK13-Review

Details
Maripuri.1942

It is a very dangerous nonmemory resident parasitic virus. It searches for EXE files in subdirectory tree, and writes itself to the end of the file. If there are no EXE files, the virus erases CMOS, FAT of C: drive, and overwrites MBR of the hard drive with the program that displays the message:
Virus MARIPURI 1.0
By FredSoft C.O.
Made in Spain, IV-1.992

The virus also contains the string:
*.EXE *.COM *.*

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 24 576 bytes in size. It is written in C++. Installation When launched, the Trojan copies its executable file to the Windows system directory under the original file name. %System%\<original name of Trojan file> In...

This Trojan installs other malicious programs to the victim machine without the knowledge or consent of the user. It is written in Visual Basic Script. It is approximately 8KB in size.

This Trojan is one of a family of Trojans which steals user passwords. It is a Windows PE EXE file. It is 52 925 bytes in size. It is packed using FSG. Installation When launched, the Trojan copies its executable file to the following directory: %Program Files%\rundll32.exe The Trojan also...

Details
Mario Family

These are memory resident parasitic viruses. They hook INT 18h, 21h and write themselves to the end of EXE files that are executed or opened.
“Mario.661″ also infects the files that are renamed. This virus has the bugs, and may corrupt the files while infecting them. It contains the text string:
Mario Genius

“Mario.746″ displays:
Joannie Tomczykall
Mario Genius
(c) 02.95.

Details
Marine.5000

This is a very dangerous memory resident encrypted stealth parasitic virus that hooks INT 21h and 25h, and writes itself to the beginning of COM and EXE files that are accessed. While infecting, the virus encrypts the original beginning of the file.
On June 5th and 21st, the virus disables the FindFirst DOS call while searching for files on floppy disks. As a result, DOS shows nothing on them. In June on Saturdays, the virus overwrites .PAS and .CPP files with the text:
There is nothing in the world that I ever wanted more than to never feel
breaking apart all my programs again.

In June the virus displays the text “BCE HA MOPE !!!” (”LET’S GO TO SEA !!!”) and manifests itself as a video effect (displays images of the sea, sun, a beach and moving yacht). When this effect is run, the virus encrypts the disk sectors.
The virus also contains the text strings:
COMMAND.COM
.COM.EXE.PAS.CPP
I`m the Ghost V1.2. Check. Your move, Mr.AntiVirus ! My author`s
coordinates are:Sun system, Earth, Europe, Russiall 2B continued… The
more we know,the less we show.

Details
Marian.700

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or opened. It contains the text strings:
BULPACK BBS - PLOVDIV
Copyright (c) Marian Delkinov
PEDY PATENT.

Details
Maresme.1062

It is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed or opened. In some cases it erases the hard drive sectors and displays:
GAME OVER

It contains the additional text string:
Virus Maresme Show by XUTE !!!

Details
Marawi.2828

It is not a dangerous memory resident parasitic virus. It hooks INT 8, 21h and writes itself to the end of COM and EXE files that are executed. Some time after installation it manifests itself with the video effect: it displays the message and draws the picture:
+—————————————————-+
¦ Ang VIRUS na ito ay taos-puso naming inaalay kay ¦
¦ Professor HERMILITO GO ng MSU-IIT. Kung hindi ¦
¦ dahil sa kanyang KAHAMBUGAN ang VIRUS na ito ay ¦
¦ hindi maisasakatuparanall ¦
¦ ¦
¦ Signing off, ¦
¦ ¦
+—————————————————-+

It also contains the text strings:
MSU Philippines
BY: Someone of MSU Main Campus, Marawi City

Details
Mao.1465
This is a benign memory resident parasitic partly encrypted virus. It hooks INT 1Ch and 21h, and writes itself to the end of COM and EXE files that are executed. The virus also infects files upon the summoning of DOS functions FindFirst/Next FCB (DIR command). On September 9th (the day of Mao Tse Tung’s death), and on December 26th (his birthday), the virus plays two Chinese tunes.

Details
Mao.1000

This is a harmless virus. It hooks INT 21h, and writes itself to the end of COM files that are executed. It does not run itself in any way.

Details
Manzon Family

These are harmless memory resident polymorphic parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed or closed. The viruses contain the text strings:
“Manzon.1404,1414″: MANZON (c) Sgg1F5PZ
“Manzon.Burning”: tHe bURnInG zOnE CWUR_UUM
“Manzon.Variant”: MANZON Variant 1