Threat Description

Matra R-440


Aliases: Matra R-440, April fools joke
Category: Other
Type: Other
Platform: N/A


There is no virus by this name. However, there was a widespread April Fools joke distributed discussing a hypotethical virus by this name. The actual message consisted of several other well-known hoax message.


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Technical Details

The actual message was posted to several newsgroups on 29th of March, 1997, and looked like this:

 From: Kenhert
   Subject: !!!!!!!! VIRUS ALERT !!!!!!!!!!
   Date: Sat, 29 Mar 1997 06:16:23 GMT
   !!! Virus Alert !!!
   Matra R-440 Crotale Virus

   The Virus (or Viruses, rather)

   The worlds first multi-platform, multi-environment, and
   multi-sytems virus surfaced in Missouri on March 14, 1997. It
   was written in Pakistan by a group called Intollerant I-Rads.
   It seems to have been written by some extremely talented
   people. The extrodinary thing about it is it can infect any
   system and any OS and any chipset. It is not just one virus,
   but rather a series of them with an identical purpose.
   The first virus was sent about 3,000 people world wide via
   email. It is not a self-starting trojan as some people believe
   these types of things are, but rather a document attached to
   the email. This version of the virus is a MacroTrojan. It was
   sent to people using Netscape Navigator Mail and because
   Netscapes mail supports HTML tags they just used a simple tag
   that would autoload the DOC. The document containes the macros
   AARTS0, NTYAAA, PayLoad, and AutoOpen. When the document is
   opened the virus becomes active and infects all other
   documents opened after that the original. It then writes its
   code to the boot sector so it automatically loads with any
   type of reboot. From then it infects any COM/EXE file opened.
   Also, the next time you send someone email the virus uses the
   Netscape address book to send itself to anyone you've ever
   sent e-mail to.
   The second virus distributes itself on the modem sub-carrier
   present in all newer modems. The sub-carrier is used for ROM
   and register debugging purposes only, and otherwise serves no
   other purpose. The virus sets a bit pattern in one of the
   internal modem registers. A modem that has been "infected"
   with this virus will then transmit the virus to other modems
   that use a subcarrier. The virus then attaches itself to all
   binary incoming data and infects the host computer's hard
   disk. The only way to get rid of this virus is to completely
   reset all the modem registers by hand.
   The third virus is the last known version of this virus. This
   virus works on the same principles of the second version
   instead it travels through powerlines. It gets into the line
   by traveling on the 60 Hz sub-carrier. It works by reversing
   the I/O port pinouts thus achieving control over the CPU and
   the rest is history.
   Sole Purpose
   It seems that this is a rather, actually, extremely
   distructive virus. Although it may enter you system
   differently, once inside it behaves the exact same way. The
   virus contains the text "(c)1997 by Intollerant I-Rads. All
   rights reserved. Unauthorized reproduction is prohibited by
   law." and "Matra R-440 Virus, the Almighty!". The virus has a
   self-changing encryption algorythm, so every time it is
   written to disk it appears differently, making it nearly
   impossible to detect. When a computer is booted up the virus
   automatically loads before trapping 13h disabling
   any virus scanner that might be loaded after It
   then checks the real time clock using 17Ah, if it returns that
   the date is Jan. 6 then the virus becomes activated.

   Any time after Jan. 6 the virus will become active if the
   computer is left idle for 30 minutes. The virus then displays
   the message, "Do not turn off you computer until this virus is
   finished working on your hard drive or you will lose
   everything." What the virus is doing is encrypting all the
   data on the drive with XOR. While it is encrypting the data
   this virus does one of two things. It either focuses part of
   the cathode ray beam in your monitor, burning a hole in your
   screen, or it modifies the horizontal scan frequency of you
   multisync CRT so that the monitors begins to overheat. This in
   turn causes the monitor case to melt! The next thing the virus
   does is gain access to the basic functions of your IDE
   controller and reversing the spin of your hard disk.
   We have yet to discover a solution for this virus and we are
   working around the clock at it. But PLEASE! Befor you do
   anything else. Send this message to everyone you know, so that
   they may take whatever precautions they feel nessary.
   Dr. Kenhert, Cambridge University

Ignore this message and do no pass it on.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More