Fandom

Malware Wiki

Mirror

1,346pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.Mirror is a memory resident parasitic virus on DOS.

There are 8 variants in 4 versions, represented by the following:

  • Virus.DOS.Mirror.482.a
  • Virus.DOS.Mirror.924
  • Virus.DOS.Mirror.1056
  • Virus.DOS.Mirror.4130

Behavior

Mirror.482.a and 482.c

These are dangerous variants, it hooks INT 21h and infects DOS executables that are executed, but not every time an executed program will be infected.

Mirror.924

This is a polymorphic variant, it infects every EXE executable in current directory when run. Programs infected by it might cause a system hang when they are run.

The infection size varies in different files.

Mirror.1056 and 1056.b

These are polymorphic variants, they hook INT 21h to infect any EXE executable that is run, but not every time an executed program will be infected.

The infection size varies in different files.

Mirror.4130 and Mirror.a

These are polymorphic stealth variants, they infect all COMMAND.COM and temporary infect all other executable in any directory to infect when run. The infection size varies in different files and may cause an allocation error upon CHKDSK.

The virus behaves stealthy that no observable memory usage can be observed, but the infection size is visible. On file listing the temporary infected files will have size change, and on copying these files the virus inserts itself to the new file.

The virus does not really infect files other than COMMAND.COM, when the virus stays memory, every executable in any drive and even CD-ROMs would be shown to have infected. If it is unloaded from memory, the files will get restored.

Mirror.b

This is a stealth variant, it infects COMMAND.COM only and may cause a memory allocation error after infection, the file infected by this variant may fail to execute and cause a system hang. The infection size is 1,384 bytes.

Memory usage

The following table shows the memory usage of the variants.

Variant Memory usage in bytes
Mirror.482.a 0^
Mirror.482.b ?
Mirror.924 928
Mirror.1056 (plus B) 1,072
Mirror.4130 ?
Mirror.a ?
Mirror.b ?

^According to the figure from the detailed mode of MEM

Payload

Mirror.482.a and 482.c

These variants activate by instant after being loaded into memory. The virus flashes the characters from left to right insanely, and it also writes a trojan code into MBR. If the user resets the computer, the hard drive will be formatted.

On some systems, the text will correctly be mirrored, and a loud buzzing sound can also be heard.

Mirror.924

This variant hooks INT 8 to reverse the characters on screen, but it seems not to activate.

Mirror.1056 and 1056.b

These variants hook INT 8 after being loaded into memory, they turn all the characters on screen into garbage, making it unreadable. This period lasts for about 2 minutes and then the screen may turn back to normal, and then about 2 minutes later it turn the characters into garbage again, as long as the virus stays in memory.

Mirror.4130, Mirror.a and b

These variants do not manifest themselves.

Other details

Mirror.924 contains the internal text strings and the name of the infected file:

????????EXE
*.EXE

Mirror.1056 contains the internal text string:

Mirror

Mirror.4130, Mirror.a and b contain the internal text string:

[ Mirror: Bit Addict / TridenT ]
COMSPEC=

Videos

Mirror DOS Virus00:35

Mirror DOS Virus

Mirror.482 virus review by Danooct1

Virus.DOS.Mirror and Virus.DOS04:36

Virus.DOS.Mirror and Virus.DOS.Miss-D

Mirror.1056 and Miss-D virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.