Threat Description

Matra R-440


Aliases:Matra R-440, April fools joke


There is no virus by this name. However, there was a widespread April Fools joke distributed discussing a hypotethical virus by this name. The actual message consisted of several other well-known hoax message.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details

The actual message was posted to several newsgroups on 29th of March, 1997, and looked like this:

 From: Kenhert
Subject: !!!!!!!! VIRUS ALERT !!!!!!!!!!
Date: Sat, 29 Mar 1997 06:16:23 GMT
!!! Virus Alert !!!
Matra R-440 Crotale Virus

The Virus (or Viruses, rather)

The worlds first multi-platform, multi-environment, and
multi-sytems virus surfaced in Missouri on March 14, 1997. It
was written in Pakistan by a group called Intollerant I-Rads.
It seems to have been written by some extremely talented
people. The extrodinary thing about it is it can infect any
system and any OS and any chipset. It is not just one virus,
but rather a series of them with an identical purpose.
The first virus was sent about 3,000 people world wide via
email. It is not a self-starting trojan as some people believe
these types of things are, but rather a document attached to
the email. This version of the virus is a MacroTrojan. It was
sent to people using Netscape Navigator Mail and because
Netscapes mail supports HTML tags they just used a simple tag
that would autoload the DOC. The document containes the macros
AARTS0, NTYAAA, PayLoad, and AutoOpen. When the document is
opened the virus becomes active and infects all other
documents opened after that the original. It then writes its
code to the boot sector so it automatically loads with any
type of reboot. From then it infects any COM/EXE file opened.
Also, the next time you send someone email the virus uses the
Netscape address book to send itself to anyone you've ever
sent e-mail to.

The second virus distributes itself on the modem sub-carrier
present in all newer modems. The sub-carrier is used for ROM
and register debugging purposes only, and otherwise serves no
other purpose. The virus sets a bit pattern in one of the
internal modem registers. A modem that has been "infected"
with this virus will then transmit the virus to other modems
that use a subcarrier. The virus then attaches itself to all
binary incoming data and infects the host computer's hard
disk. The only way to get rid of this virus is to completely
reset all the modem registers by hand.

The third virus is the last known version of this virus. This
virus works on the same principles of the second version
instead it travels through powerlines. It gets into the line
by traveling on the 60 Hz sub-carrier. It works by reversing
the I/O port pinouts thus achieving control over the CPU and
the rest is history.

Sole Purpose
It seems that this is a rather, actually, extremely
distructive virus. Although it may enter you system
differently, once inside it behaves the exact same way. The
virus contains the text "(c)1997 by Intollerant I-Rads. All
rights reserved. Unauthorized reproduction is prohibited by
law." and "Matra R-440 Virus, the Almighty!". The virus has a
self-changing encryption algorythm, so every time it is
written to disk it appears differently, making it nearly
impossible to detect. When a computer is booted up the virus
automatically loads before trapping 13h disabling
any virus scanner that might be loaded after It
then checks the real time clock using 17Ah, if it returns that
the date is Jan. 6 then the virus becomes activated.

Any time after Jan. 6 the virus will become active if the
computer is left idle for 30 minutes. The virus then displays
the message, "Do not turn off you computer until this virus is
finished working on your hard drive or you will lose
everything." What the virus is doing is encrypting all the
data on the drive with XOR. While it is encrypting the data
this virus does one of two things. It either focuses part of
the cathode ray beam in your monitor, burning a hole in your
screen, or it modifies the horizontal scan frequency of you
multisync CRT so that the monitors begins to overheat. This in
turn causes the monitor case to melt! The next thing the virus
does is gain access to the basic functions of your IDE
controller and reversing the spin of your hard disk.

We have yet to discover a solution for this virus and we are
working around the clock at it. But PLEASE! Befor you do
anything else. Send this message to everyone you know, so that
they may take whatever precautions they feel nessary.
Dr. Kenhert, Cambridge University

Ignore this message and do no pass it on.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More