Details
Multiani

This is a dangerous memory resident boot virus. It hooks INT 13h and writes itself to boot sectors of the floppy disks and to the first boot sector of the hard drive. While infecting a sector, the virus patches the code of the standard boot routine in the boot sector. The virus writes, to the beginning of that routine, the JMP instruction, and writes the virus loader (37h bytes) to the area of the system error messages at the offset 01A4h. Then the virus writes its main code to the last sector of the root directory.
While loading from such a sector, the standard boot routine is interrupted by the patched code; the virus loader receives the control, reads the main virus code, hooks INT 13h, and returns control to the standard boot routine.
This way of infection corrupts the code of the not-MS-DOS boot sectors, and the system halts while loading from the infected disk.
In December the virus displays the following message:
La multi ani !

The virus also contains the following text strings, the second string is encrypted:
SoSo3
! ina itlum aL

Details
Multi.2560 Family

These are harmless memory resident stealth viruses. They hook INT 21h write themselves to the end of COM, EXE, SYS and OVL files. The date of infected files grows by 100 years. The viruses do not infect the files with Read-Only attribute, remove themselves from the infected files that are executed or traced.
While installing they scan the INT 21h handlers in DOS kernel area and patch DOS internal INT 2Ah call (MOV AH,82h; INT 2Ah) with the instruction that jump to virus body.
These viruses contain in their bodies the code of the viruses:
“Multi.2560.a”: “Small.123,131″
“Multi.2560.b”: “Small.104,110″

and sometimes launch one of them. The viruses contain the text:
MultiVirus(R), Release 1.0, Copyright (c) 1990-91 by Ç¡ñ___¬á

Details
Mul.443

It is a harmless memory resident multipartite virus. When an infected file is executed, the virus writes itself to the MBR of the hard drive. While loading from infected disk the virus hooks INT 1Ch, waits for DOS loading, hooks INT 21h and then writes itself to the end of COM and EXE files that are executed. The virus does not manifest itself in any way.

Details
Muhamor.4608

It is a dangerous memory resident polymorphic double-encrypted parasitic virus. It hooks INT 12h, 21h and writes itself to the beginning of COM and to the middle of EXE files that are executed or opened. The virus has bugs and may corrupt EXE files while infecting them. The virus does not infect files with names: *WE?.*, *AN?.*, *38?.*.
Depending on its internal random counter the virus patches the standard Windows95 logos “Please wait while your computer shuts down” and “It’s now safe to turn off your computer” - it writes to the top of these logos an image of fly-agaric mushroom (”muhomor” in Russian).

The virus contains the text strings:
.E.C.e.cXEOMxeom
weANanaNAnWE38
Muhamor virus ver 1.1
Version 1.1
C:\WINDOWS\LOGOS.sys
C:\WINDOWS\LOGOW.sys

Details
MTZ.Pink.5081

This is a memory resident parasitic stealth polymorphic virus. On installation it checks DOS version and does not install itself if DOS is not 5.0 or higher. It is necessary because the virus uses high memory on installing. Then the virus checks the system memory for already installed virus copy by “Are you here?” INT 21h call with AX=3056h, BX=4D54h, CX=5A21h, DX=3933h (”MTZ!0V93″). The memory resident virus returns 4F4Bh (”OK”) in AX register.
While allocating a block of the system memory the virus uses new (DOS 5.0 and higher) INT 21h functions. It allows the virus to install itself in Upper Memory Blocks if there is enough of free space. In another case or if there is not upper memory in use, the viruses install themselves to the top of conventional memory by ordinary manner.
The installation is continued by INT 21h tracing routine. This is quite complex routine that uses new tricks which never were used in other viruses. That routine is described below.
Then the virus hooks INT 21h and INT 13h vectors and returns control to host program. INT 21h is used for file infection and stealth, INT 13h are used for stealth only.
On DOS call Open File Handle the virus checks the file and disinfects the file if it is infected. This is stealth algorithm and it causes impossibility of detection of infected files without disinfection of system memory.
On DOS calls Execute (AH=4B00h) or Close File Handle (AH=3Dh) the virus calls infection routine. This routine checks the file name with extension and does not infect the files with the names TB*.EXE, SC*.EXE, F-*.EXE, VS*.EXE, CL*.EXE, CP*.EXE (TBAV, SCAN, F_PROT, VSHIELD and VSTOP, CLEAN, CPAV). The virus infects the files with .EXE extensions only. Then the virus calls the polymorphic routine and writes the decryptor and encrypted virus body at the file end.
While installing its TSR copy the virus searches for original address of INT 21h handler. That handler (together with other DOS interrupt handlers) is placed in DOS code and data area. To calculate INT 21h handler address the virus uses quite interesting tricks. As the beginning it gets segment address of DOS area by undocumented function of INT 2Fh, then it gets the segment address of the first memory block occupied by some program (usually that block contains system drivers are described in CONFIG.SYS file). That block follows the DOS area. So the virus “knows” the segment address of DOS system area and its length.
Then the virus allocates block of XMS memory, copies whole DOS code and data into this block, hooks INT 6 (Undefined Opcode), fills (erase!) DOS area by FFh byte and call INT 21h with function Get DOS Version.
The system should halt after such manipulations because any call to system functions should be passed to area that is erased by FFh bytes. Moreover, there are not assembler instruction that consists of bytes FFh,FFh. On execution of such code i286+ chips generate INT 6 (Undefined Opcode interrupt).
The virus uses that feature of Intel processor and hooks INT 6 call to intercept the moment of execution of bytes FFh,FFh. The virus stores the address from where INT 6 call that was performed, restores DOS data and code (moves it back from XMS buffer) and free XMS block.
And which address was intercepted by the virus on INT 6? It is exactly address of original INT 21h handler. On INT 21h call the control is passed from instruction to instruction, from one memory resident program to another one up to moment when control is passed to DOS area. And there is FFFFh code in erased DOS area which causes INT 06h and stops execution of sequence of instructions.
Of course, that method is too complex to be the reliable one, but it works. This is the question, how it will work in multitasking mode, under MS-Windows or new xx-DOS versions, but it works without problems under single MS-DOS 5.0 and 6.0.
The virus contains three stealth routines, the first one is called on DOS Find First and Find Next calls (the virus substitutes the length of file), the second routine is called on file opening (the virus disinfects the file). These routines hide the infected files on access via standard DOS calls.
But there are several antiviral scanner that scan the disks via low level functions - by INT 13h (Absolute Disk Read). The virus uses third stealth routine here. It checks the address of the sector is read via INT 13h and if number of this sector is equal to number of first sector of infected file the virus terminates that call. That stealth routine returns error code (Data CRC Error) instead of reading the beginning of the infected file.
This virus contains the text strings:
- The Pink Panther 2 (*The Last One*) - (c) MTZ ‘1 Jan 1994′ Italy
Dedicated to Federica!
[MTZ 1994]
On December, 31th the virus displays this text.

Details
MTZ.Pink.4510

This is a memory resident parasitic stealth polymorphic virus. On installation it checks DOS version and does not install itself if DOS is not 5.0 or higher. It is necessary because the virus uses high memory on installing. Then the virus checks the system memory for already installed virus copy by “Are you here?” INT 21h call with AX=3056h, BX=4D54h, CX=5A21h, DX=3933h (”MTZ!0V93″). The memory resident virus returns 4F4Bh (”OK”) in AX register.
While allocating a block of the system memory the virus uses new (DOS 5.0 and higher) INT 21h functions. It allows the virus to install itself in Upper Memory Blocks if there is enough of free space. In another case or if there is not upper memory in use, the viruses install themselves to the top of conventional memory by ordinary manner.
The installation is continued by INT 21h tracing routine. This is quite complex routine that uses new tricks which never were used in other viruses. That routine is described below.
Then the virus hooks INT 21h and INT 25h vectors and returns control to host program. INT 21h is used for file infection and stealth, INT 25h are used for stealth only.
On DOS call Open File Handle the virus checks the file and disinfects the file if it is infected. This is stealth algorithm and it causes impossibility of detection of infected files without disinfection of system memory.
On DOS calls Execute (AH=4B00h) or Close File Handle (AH=3Dh) the virus calls infection routine. This routine checks the file name with extension and does not infect the files with the names TB*.EXE, SC*.EXE, F-*.EXE, VS*.EXE, CL*.EXE, CP*.EXE (TBAV, SCAN, F_PROT, VSHIELD and VSTOP, CLEAN, CPAV). The virus infects the files with .EXE extensions only. Then the virus calls the polymorphic routine and writes the decryptor and encrypted virus body at the file end.
While installing its TSR copy the virus searches for original address of INT 21h handler. That handler (together with other DOS interrupt handlers) is placed in DOS code and data area. To calculate INT 21h handler address the virus uses quite interesting tricks. As the beginning it gets segment address of DOS area by undocumented function of INT 2Fh, then it gets the segment address of the first memory block occupied by some program (usually that block contains system drivers are described in CONFIG.SYS file). That block follows the DOS area. So the virus “knows” the segment address of DOS system area and its length.
Then the virus allocates block of XMS memory, copies whole DOS code and data into this block, hooks INT 6 (Undefined Opcode), fills (erases!) DOS area by FFh byte and call INT 21h with function Get DOS Version.
The system should halt after such manipulations because any call to system functions should be passed to area that is erased by FFh bytes. Moreover, there are not assembler instruction that consists of bytes FFh,FFh. On execution of such code i286+ chips generate INT 6 (Undefined Opcode interrupt).
The virus uses that feature of Intel processor and hooks INT 6 call to intercept the moment of execution of bytes FFh,FFh. The virus stores the address from where INT 6 call that was performed, restores DOS data and code (moves it back from XMS buffer) and free XMS block.
And which address was intercepted by the virus on INT 6? It is exactly address of original INT 21h handler. On INT 21h call the control is passed from instruction to instruction, from one memory resident program to another one up to moment when control is passed to DOS area. And there is FFFFh code in erased DOS area which causes INT 06h and stops execution of sequence of instructions.
Of course, that method is too complex to be the reliable one, but it works. This is the question, how it will work in multitasking mode, under MS-Windows or new xx-DOS versions, but it works without problems under single MS-DOS 5.0 and 6.0.
The virus contains three stealth routines, the first one is called on DOS Find First and Find Next calls (the virus substitutes the length of file), the second routine is called on file opening (the virus disinfects the file). These routines hide the infected files on access via standard DOS calls.
But there are several antiviral scanner that scan the disks via low level functions - by INT 25h calls (Absolute Disk Read). The virus uses third stealth routine here. It checks the address of the sector is read via INT 25h and if number of this sector is equal to number of first sector of infected file the virus terminates that call. That stealth routine returns error code (Data CRC Error) instead of reading the beginning of the infected file.
This virus contains the text strings:
- The Pink Panther - (c) MTZ Sept. 1993 Italy

Details
MTZ.971

This is a benign non memory-resident parasitic encrypted virus. It searches for COM files and writes itself to the end of the file. It contains the text string:
MTZ Virus 1.0 - From Italy
Sometimes it displays:
You are lucky. Full moon tonight.!

Details
MTZ.2624

This is a benign memory resident parasitic polymorphic and stealth virus. Being executed it checks DOS version and installs itself as memory resident under DOS 5.0 or above. If there is free block of upper memory, this virus copies itself into UMB. This virus infects files on FindFirst/FindNext DOS calls. On opening an infected file the virus disinfects it.
The virus hooks INT 21h and writes itself to the end of EXE files (except SCAN.EXE). Depending on the system timer it displays the message:
Overkill IV Virus - By MTZ - From Italy -
(Cazzo! Anche oggi un altro 2 di picche, ma si puo’ andare avanti cosi’ ?)

Details
MTZ.1907

This is a benign memory resident parasitic polymorphic and stealth virus. Being executed it checks DOS version and installs itself as memory resident under DOS 5.0 or above. If there is free block of upper memory, this virus copies itself into UMB. This virus infects files on FindFirst/FindNext DOS calls. On opening an infected file the virus disinfects it.
The virus hooks INT 3, 15h, 21h. Interrupt 3 used as decryption routine, INT 15h handler calls trigger routine, INT 21h handler calls infection routine. This virus writes itself to the end of COM files. On warm reset (Alt-Ctrl-Del) it displays the message:
Y.K.K. - (c) M T Z - Italy!
Good Luck Today

Details
MtE.Pogue

This is the first known real polymorphic virus. It is harmless and memory resident. It hooks INT 1Ch and 21h, and appends to COM files when they are started or closed. It plays a tune from time to time, and contains the following texts:
TNX2DAV
Pogue Mahone!

Details
MtE.Mother

This is a benign non-memory resident virus. It searches for COM files, and writes itself to the end of the file. Sometimes it draws a picture and tries to play some music.
It contains the texts:
Ripped this Motherfucker off SHIT!!! Wont workall.
We dedicate this little virus to Sara Gordon who wanted to have a virus
named after her.

Details
MtE.Coffeeshop

This is a relatively harmless memory resident virus. It hooks INT 21h, and writes itself to the end of EXE files that are executed or renamed. On Friday ,while running an infected file, the virus, with a probability of 1/256, displays the message “LEGALIZE CANNABIS” and the picture of a green leaf.
It also contains the text strings:
SCCLVSNEHTTBVIRAFEMTBR
Amsterdam = COFFEESHOP!
MK1992

There is an encrypted variant of this virus named “Coffeeshop.1568″. It displays the message “LEGALIZE CANNABIS” and contains the strings:
CoffeeShop
COSCCLVSNEHTTBVIRAFEMTBR
MK ‘92

Details
Mte-Small Family

These are not dangerous memory resident polymorphic parasitic viruses. They hook INT 21h and write themselves to the beginning of COM and EXE files that are executed. They display the message and halt PC:
“Mte-Small.Mega”:
FORMULA 1: I love this competition. Coulthard will be the winner.

“Mte-Small.Sepultura”:
Virus is dedicated
in memory of my friend Igor.
CHAOS A.D.

The viruses also contain the text strings:
“Mte-Small.Mega”:
MEGADETH
MtE-small by Keith Timmons.
MetallicA

“Mte-Small.Sepultura”:
Shurick’s MtE-small
SEPULTURA

Details
MSU4.2000

It is a dangerous memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the beginning of COM (except COMMAND.COM) and EXE files that are executed or opened. It has the bug and halts the system while infecting EXE files. On infecting the virus creates the temporary file DOC_MOC.MOC, writes the virus into there, appends the file, and rename the DOC_MOC.MOC file to the name of that file. The virus contains the text string:
MSU 4 113 P.D. 1994

Details
MSU.271

It is a harmless nonmemory resident parasitic virus. It searches for COM files, then writes itself to the beginning of the file. It contains the text string:
MSU-Virus v1.0:The StartUp !