There are 4 variants:
There are additional 5 variants which also belong to this family.
When the virus is executed it first checks the DOS version and installs itself as memory resident if the version is 5.0 or above. If there is free block of upper memory (UMB), this virus would copy itself to there. This virus infects files on FindFirst/FindNext DOS calls. On opening an infected file the virus disinfects it.
The virus hooks INT 3, 15h, 21h. INT 3 is used as decryption routine, INT 15h handler calls trigger routine, INT 21h handler calls infection routine, and writes itself to the end of the file that are executed.
MTZ.971 and 1907
These variants target DOS executable files and they do not infect those are smaller than 2,048 bytes.
MTZ.2501 and 2624
These variants target EXE executable files.
These are stealthy variants. They infect EXE files, and they do not infect files that are smaller than 5,120 bytes.
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
This variant does not manifest itself at anyway.
This variant activates when the user issues CTRL-ALT-DEL, it displays a graphical effect with noises and beeps, having the message at the top:
Y.K.K. - (c) M T Z - Italy! Good Luck Today
This variant activates randomly on January 26th, on running an infected program it displays the following before the host program:
The Ridge Projekt is here..
This variant activates randomly on 30th day in any month, it displays the following before the host program:
Overkill IV Virus - By MTZ - From Italy - <Hit any key to continue> (Cazzo! Anche oggi un altro 2 di picche, ma si puo' andare avanti cosi' ?)
This family has 9 variants in total:
- Virus.DOS.MTZ.Overkill (3 variants)
- Virus.DOS.MTZ.Pink (2 variants)
- List of variants of the MTZ virus on VX Heaven