Details
MPTI.1536.a

It is a dangerous memory resident parasitic partly encrypted virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. Depending on the system date it corrupts the boot sectors and erases CMOS. It contains the text string:
AIDSTESTVL(C) S.A.- MPTI,1992.

Details
MPS.469

These are harmless nonmemory resident parasitic viruses. They search for .COM files of the current directory and write themselves to the end, and Jmp-Virus code (INC AX, JMP Loc_Vir) to the beginning of the file. They do not manifest themselves it any way. The viruses contain the texts:
*.COM
(C) MPS-OPS 1991

MPS.682
It is a memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .EXE files that are executed. It contains the encrypted string:
Przepraszam wszystkich, ktorzy ucierpieli z powodu niedoskonalosci moich
wirusow oraz p.Sella za ich prymitywna budowe. Niestety, dopiero zaczynam
wkraczac w swiat jezyka maszynowego. Marek Pande (C) MPS-OPC v4.01

MPS.754
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM and .EXE files that are executed. It contains the text:
(C) MPS-OPC v4.12

Details
MPHTI Family

These are very dangerous viruses. They hit Boot sectors of the hard and floppy disks. The viruses save the old boot sector of the infected disk onto the next sector to the last one of the root directory. According to their internal counters the viruses can destroy information on the starting 8 tracks of all accessible disks. The viruses hooks INT 13h, also contain the text “1991,MFTI” on cyrillic coding (MFTI - Moscow college).

Details
Mpei.4772

This is a relatively harmless memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed, created or opened. The virus uses anti-debugging tricks.
If Novell network is installed, the virus, depending on its counter, sends a message in Russian to all workstations in the net. On Fridays, this virus drops a program to the MBR of the hard drive that looks like a stealth boot virus, but without an infection routine, i.e., the code does all that other boot viruses do; installs itself into the memory, hooks INT 13h, and runs a stealth routine. The only exception in this code is that it does not contain an infection routine.
The virus contains the following text strings in Russian and English:
COMSPEC=
NAME: MPEI
Windows 95 MUST DIE !!!
Copyleft (c) Down’niloff Corp.,2000. All Lefts Preserved.

Details
MotherShip.655

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed or opened. The virus does not manifest itself in any way, it contains the text string:
MoTHER MotherShip (c) 1994 Stormbringer

Details
Mosquito_II.512

It is a harmless nonmemory resident parasitic virus. It searches for .COM files, then writes itself to the end of the file. The virus does not manifest itself in any way, it contains the text string:
MOSQUITO K1K (c) 1996

Details
Mosquito.768

It is a dangerous memory resident parasitic virus. It hooks INT 10h, 21h and writes itself into the middle of EXE files that are executed. While infecting the virus may corrupt the files. While displaying some characters the virus beeps by the PC speaker. The virus contains the text string:
v Mosquito.(Crazy)

Details
Moskau.800

It is a harmless nonmemory resident encrypted parasitic virus. It searches for COM files in the current directory, then writes itself to the end of the file. The virus uses anti-debugging tricks. It contains the text strings:
Stas
*.com

Details
Morse.1060

It is not a dangerous memory resident parasitic virus. It hooks INT 1Ch, 21h and writes itself to the end of .EXE files. The virus manifest itself with a Morse beeping.

Details
Morphine.3500

This is a benign memory resident parasitic polymorphic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed or opened. While installing a memory resident, the virus also infects the COMMAND.COM file. The virus checks the file names and does not infect the anti-viruses F-PROT, TBAV, SCAN. The virus deletes the anti-virus data files: ANTI-VIR.DAT CHKLIST.MS CHKLIST.CPS ZZ##.IM
Under debugger or on August 10th, the virus displays the following text and runs itself by a video effect:
RELIGIOUS VOMIT! MORPHINE-A VIRUS 0.6.4

The virus also contains the text strings:
[Morphine-A] 0.6.4
by Ren Hoëk
BA.Argentina
Greets to: PJanes,Rat,Largus & the girls
Kill the talking bastard! kill him! Juap!
ok..rec-tunn stolen from Vlad Mag.
COMSPEC=

Details
Moridin

This is a multi-platform virus infecting Win32 systems. The virus infects Win32 executable files, MS Word documents, and spreads via e-mail through IRC channels as well as infecting the local network. The virus also has Backdoor ability.
The virus is about 70K in size, and there are several other components embedded in it: Win32 EXE “helper” (additional application), Word template, Word macro component source, as well as several script programs: VBS, mIRC, PIRCH and vIRC. The EXE virus routines are written in Assembler.
The virus can be found in several forms:
- infected PE EXE file
- EXE helper
- infected Word documents
- VBS script
- IRC sctiprs
While spreading via e-mail through the network and IRC channels, the worm names its copies as: CRACK.EXE, PACKED.EXE, SETUP.EXE, NETX.EXE, and INIT.EXE.
PE EXE Virus Component - Infected PE EXE Files
Infecting PE EXE files
While infecting a PE EXE file, the virus increases the size of the last file section, encrypts itself with a polymorphic routine and writes itself here. The polymorphic code is of average complexity.
To gain control when an infected file is run, the virus patches the file entry code with a short semi-polymorphic code that immediately passes control to a polymorphic decryption loop when an infected file is run.
Infected File Run
When an infected file is run, the virus polymorphic code gains control, decrypts the main virus code and transfers control here. The virus then creates four files in the Windows system directory:
ADVAPI33.EXE (note: “33″ not “32″)
PACKED.EXE
MMSYSTEM.BIN
COMMDLG.VBS
the first three files contain the same code - a 60K virus helper (see below)- which is a PE EXE file and is executed as a typical Windows application. These files are used by other virus components to infect Word documents, as well as spread the virus via IRC channels and e-mail (see below).
The PACKED.EXE and MMSYSTEM.BIN are then infected by the virus in the same way other EXE files are infected (see above). As a result, the size of these files is increased up to 130K (60K of helper plus 70K of complete virus code), and the code of the helper is duplicated here (the helper is infected by a virus that has another helper embedded in it).
The COMMDLG.VBS file contains VBScript that spreads the virus on the Internet via e-mail messages.
System Registry Keys
The virus then modifies the system registry keys. It creates the following keys:
1. HKEY_CLASSES_ROOT\exefile\shell\open\command
default = “%SystemDir%\MMSYSTEM.BIN” %1 %*”
2. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
mmsystem = COMMDLG.VBS
3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\ASMODEUS$

Flags = 0×392 (914)
Parm1enc = 7c d1 15
Parm2enc = 00
Path = “C:\”
Remark = “”
Type = 0
and deletes the following key:
4. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
NoDriveAutorun
modifies the following keys:
5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network
DisablePwdCaching = 0
6. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion WinDrop = “%SystemDir%”

where %SystemDir% is the name of the Windows system directory.
The “1″ causes the system to run the virus helper when each EXE file is run (see below). The “2″ activates a VBS component that sends affected e-mail upon Windows startup. The “3″ seems to be some virus ID stamp. The “4″ enables AUTORUN.INF file auto-processing. The “5″ allows a backdoor component to obtain system passwords (the virus code doesn’t contain a routine for that, but it can be downloaded and installed, see below). The “6″ is another virus ID stamp that is used by the MS Word virus component to locate the exact directory where other virus components are located.
If the virus fails to install itself to the Windows system directory, it drops its files to the Windows temporary directory and creates/deletes/modifies exactly the same keys with the exception of “3″.
Infection, etc.
The virus then infects up to five EXE and up to five SRC files in the current directory. The virus uses the masks “GOAT*.EXE” and “GOAT*.SCR” to locate the files, so the virus is a “research” one and cannot infect files with standard names. However, that virus “feature” may be easily fixed by the virus’ author, and the virus will infect PE EXE files of any name.
Despite the fact that this virus version infects GOAT* files only, it checks a file for an anti-virus name and skips infection. The virus detects anti-virus programs according to the first four characters of the name:
FSAV PAND INOC TBSC NAVS NAVD NAVX ADVA SCAN NOD3 DRWE SPID AMON AVP3 AVPM
The virus also does not infect WinZip self-extractors.
The virus deletes the following anti-virus data files:
CHKLIST.MS CHKLIST.DAT CHKLIST.CPS CHKLIST.TAV AGUARD.DAT AVGQT.DAT
ANTI-VIR.DAT SMARTCHK.MS SMARTCHK.CPS IVP.NTZ AVP.CRC
This virus component contains the texts:
-[W97-2K/Win32.Moridin 1.0] by Asmodeus iKX
Tia mi aven Moridin vadin
“The grave is no bar to my call”
Virus Helper Run
The virus helper is activated upon any EXE file run (caused by the System registry key “1″, see above). As a command line, the helper obtains the EXE file name expected to be executed and the command line. The helper pays attention to both the EXE file name and command line arguments.
When any one of mIRC, PIRCH or vIRC client is executed, the virus affects them. It makes a copy itself in the current directory with the name CRACK.EXE and creates a corresponding script file or files that send the infected CRACK.EXE file to a user. The file either enters the IRC channel (in the case of a vIRC client), or sends a text to the channel with the word “crack” in it (mIRC, PIRCH).
Script files created by the virus:
MIRC : SCRIPT.INI, SCRIPT.OLD
PIRC : EVENTS.INI
VIRC : DEFAULT.LIB
In case a user attempts to execute the REGEDIT.EXE or an anti-virus program, the virus simply terminates that request. The list of these file names is as follows:
REGE*, AVP3*, AVPM*, AVPC*, NOD3*, AMON*, SCAN*, SPID*, DRWE*
When a file is executed corresponding to one of the three “virus-file” names: CRAC*, PACK*, MMSY*, or a file with the name SETU*, the virus terminates the file and displays a fake error message:
WinZip Self-Extractor
WinZip Self-Extractor header corrupt.
Possible cause: bad disk or file transfer error
In the instance the command line contains a reference to a .DOC file, the virus appends its PACKED.EXE file to the end of file. This addition will be used later to spread the virus from the affected Word documents.
The virus helper also drops two more files for migrating to the MS Word environment:
NORMAL.DOT to MS Word templates directory
IMPMORI.DRV to Windows system directory
The NORMAL.DOT template contains a virus “loader” that obtains the complete virus macros from the IMPMORI.DRV file.
The virus helpers also disables the macro-virus protection in the system registry, as well as looks for anti-virus memory resident programs and terminates them:
AVP Monitor
Amon Antivirus Monitor
Norton AntiVirus Auto-Protect Trial Version
Norton AntiVirus Auto-Protect
HTML pages are also affected by the virus. In the instance that a .HTM file is found in the current directory, the virus copies itself here with the name SETUP.EXE and appends a “Download” link to the HTM file. Clicking on this link results in a standard “File Download” window.
Depending on the random counter, the virus helper also sets the volume label “W32Moridin” to the current drive.
Infecting a Network
The virus helper feature is not finished, as it also spreads the virus over the local network if there are shared drives for full access. The virus helper enumerates them and tries to affect them in two ways.
1. The virus copies itself here with the name NETX.EXE and creates the auto-executed file AUTORUN.INF here with a command that activates a virus copy in the NETX.EXE file.
2. The virus looks for the Windows directory on the drive. If there is a directory with a “Windows”-like name, the virus copies itself here with the name INIT.EXE and registers that copy in the WIN.INI file in the auto-run section.
Infecting Remote Machines
In addition to intranet infection, the virus also tries to infect the remote machines in one more way. The virus looks to see whether one of the below-listed Internet applications is run:
GetRight Monitor
Microsoft Outlook
ICQMsgAPI Window
WWW Links
PIRCH98
Sockets Window
In this case, the virus obtains the IP address of the host (the machine the infected computer is connected to), and then scans the host subnet (usually the C class subnet) for NetBus backdoor presence. If there is a machine infected by NetBus, the virus sends its copy here and forces NetBus to execute it.
Backdoor Routine
The virus helper also has its own Backdoor routine with just four commands implemented:
- opens and closes CD door
- downloads and spawns a file
- terminates itself (backdoor routine)
- displays a message, the message box headline contains the following text:

[W97-2K/Win32.Moridin 1.0] by Asmodeus iKX
Infected E-mail
The virus uses two mail systems to spread itself: MS Outlook and Pegasus. The first method is realized in the VBS virus component, and the second in the MS Word virus macro program.
MS Outlook
To spread itself via e-mail messages, the virus COMMDLG.VBS file connects to MS Outlook, obtains all addresses from the Address Book and sends its copy (the PACKED.EXE file) here attached to the message. The message has a randomly selected Subject, Body and Signature:
Subject: “Virus ALERT!”
Body: “There is a VBS-worm spreading over email, protect yourself!
Do not open any attachment called FREE-SEX.VBS”
Subject: “Utopia/Earth 2025 tutorials”
Body: “Hi everyone, check this game out! www.games.esite.com.
A couple of tutorials are attached to the message”
Subject: “This is how I look :)”
Body: “Here is some pictures of me, you like it? :)”
The Signature is selected from the following variants:
Regards,
Sincerely,
Have a nice day,
It is completed in the computer owner’s name and organization name. The virus obtains these data from thesystem registry.
The virus’ VBS file is run upon each Windows restart. To prevent duplicate sendings, the virus creates the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Ikx
Moridin 1.0
and exits the e-mail spreading routine if this key already is present in the registry.
Pegasus
The macro component in the infected MS Word document looks for the Pegasus mail client installed in the system. The virus selects an address from the Pegasus database and sends an active document here. The message has one of the following texts:
Check this out!

BAAAAAAAM! You just got hit by an attachment, this is the attachment war! Hit someone, NOW!
Infecting MS Word
The virus affects MS Word being run from the NORMAL.DOT file (see above). A short macro program in here obtains the main virus macro from the IMPMORI.DRV file in the Windows system directory and transfers it to NORMAL.DOT.
The main virus macro contains three routines: sending a virus copy via e-mail using Pegasus (see above); infecting other MS Word documents; extracting and spawning a PE EXE component from the document.
MS Word documents are infected when they are opened by Word. The virus simply copies its code here and spawns ADVAPI33.EXE with the document file name in the command line, causing the appending of the EXE virus code to the end of the document.
To extract the EXE code from the Word document, the virus macro opens the document as a binary file, goes to the end of the file, reads the virus EXE component, saves it to a disk file with the name W32MORI.EXE to the Windows directory and executes this file. So, the EXE virus component gains control from the infected Word document.

Details
Morgul Family

These are dangerous memory resident parasitic viruses. They copy themselves to the Interrupt Vectors Table, hook INT 21h and writes themselves to the end of .COM files that are accessed. While installing memory resident they overwrite the vector of VGA Internal Interrupt and halt the computers with installed VGA card. The viruses contain the text strings:
“Morgul.400,401″: Morgul
“Morgul.424″: Smeagol

Details
Morgana.1624

It is not a dangerous memory resident, encrypted, stealth parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. The virus contains the text string:
Virus MORGANA, (c) Hot Dog 25/12/1996. Espa¤a

Details
Morgan.470

This is a benign non-memory resident parasitic virus. It searches for .COM files, then writes itself to the end of the file. On July 26 and December 6 ,it displays the following message:
You have been infected by a living MORGANISM

Details
Mordor.538

This is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the beginning of COM files (except COMMAND.COM) that are executed.
The virus does not manifest itself.