Threat Descriptions

Matra R-440

Classification

Category :

Other

Type :

Other

Platform :

-

Aliases :

Matra R-440, April fools joke

Summary

There is no virus by this name. However, there was a widespread April Fools joke distributed discussing a hypotethical virus by this name. The actual message consisted of several other well-known hoax message.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The actual message was posted to several newsgroups on 29th of March, 1997, and looked like this: 

 From: Kenhert

Subject: !!!!!!!! VIRUS ALERT !!!!!!!!!!

Date: Sat, 29 Mar 1997 06:16:23 GMT

!!! Virus Alert !!!

Matra R-440 Crotale Virus

 The Virus (or Viruses, rather)

 The worlds first multi-platform, multi-environment, and

multi-sytems virus surfaced in Missouri on March 14, 1997. It

was written in Pakistan by a group called Intollerant I-Rads.

It seems to have been written by some extremely talented

people. The extrodinary thing about it is it can infect any

system and any OS and any chipset. It is not just one virus,

but rather a series of them with an identical purpose. The first virus was sent about 3,000 people world wide via

email. It is not a self-starting trojan as some people believe

these types of things are, but rather a document attached to

the email. This version of the virus is a MacroTrojan. It was

sent to people using Netscape Navigator Mail and because

Netscapes mail supports HTML tags they just used a simple tag

that would autoload the DOC. The document containes the macros

AARTS0, NTYAAA, PayLoad, and AutoOpen. When the document is

opened the virus becomes active and infects all other

documents opened after that the original. It then writes its

code to the boot sector so it automatically loads with any

type of reboot. From then it infects any COM/EXE file opened.

Also, the next time you send someone email the virus uses the

Netscape address book to send itself to anyone you've ever

sent email to.
The second virus distributes itself on the modem sub-carrier

present in all newer modems. The sub-carrier is used for ROM

and register debugging purposes only, and otherwise serves no

other purpose. The virus sets a bit pattern in one of the

internal modem registers. A modem that has been "infected"

with this virus will then transmit the virus to other modems

that use a subcarrier. The virus then attaches itself to all

binary incoming data and infects the host computer's hard

disk. The only way to get rid of this virus is to completely

reset all the modem registers by hand.
The third virus is the last known version of this virus. This

virus works on the same principles of the second version

instead it travels through powerlines. It gets into the line

by traveling on the 60 Hz sub-carrier. It works by reversing

the I/O port pinouts thus achieving control over the CPU and

the rest is history.
Sole Purpose

It seems that this is a rather, actually, extremely

distructive virus. Although it may enter you system

differently, once inside it behaves the exact same way. The

virus contains the text "(c)1997 by Intollerant I-Rads. All

rights reserved. Unauthorized reproduction is prohibited by

law." and "Matra R-440 Virus, the Almighty!". The virus has a

self-changing encryption algorythm, so every time it is

written to disk it appears differently, making it nearly

impossible to detect. When a computer is booted up the virus

automatically loads before command.com trapping 13h disabling

any virus scanner that might be loaded after command.com. It

then checks the real time clock using 17Ah, if it returns that

the date is Jan. 6 then the virus becomes activated.

 Any time after Jan. 6 the virus will become active if the

computer is left idle for 30 minutes. The virus then displays

the message, "Do not turn off you computer until this virus is

finished working on your hard drive or you will lose

everything." What the virus is doing is encrypting all the

data on the drive with XOR. While it is encrypting the data

this virus does one of two things. It either focuses part of

the cathode ray beam in your monitor, burning a hole in your

screen, or it modifies the horizontal scan frequency of you

multisync CRT so that the monitors begins to overheat. This in

turn causes the monitor case to melt! The next thing the virus

does is gain access to the basic functions of your IDE

controller and reversing the spin of your hard disk.
Solution

We have yet to discover a solution for this virus and we are

working around the clock at it. But PLEASE! Befor you do

anything else. Send this message to everyone you know, so that

they may take whatever precautions they feel nessary.

Dr. Kenhert, Cambridge University

Ignore this message and do no pass it on.