The Messev.3158 is an encrypted resident stealth virus that infects COM and DOS EXE files. Besides it acts as a dropper to Gwar boot virus. Messev virus is encrypted with a variable key. Number of possible key variants is 255.
Disinfection & Removal
Messev installs itself to memory using the last MCB block and immediately passes control to its body there. First the virus traces Int 13h and Int 21h. Then the virus tries to infect hard disk with Gwar boot virus. It uses direct calls to Int 13h and Int 21h handlers during this procedure.
To safely infect MBR the virus tries to delete Windows 95 floppy device driver HSFLOP.PDR located in \System\IOSubSys folder, but there's an error in the virus and this never happens. The virus checks for presence of Gwar in memory and if it is not present the hard disk in infected - the original MBR is copied to 0/0/2 (h/t/s) and the Gwar is copied to 0/0/1 (h/t/s). Because of this trick logical hard disks become inaccessible when booting from a system diskette.
After dropping the Gwar the virus traps Int 13h and Int 21h. Then it gets attributes of C:\COMMAND.COM, and passes control to original infected file code.
COM and DOS EXE files are infected by Messev on access. The original 12 bytes from the file start are copied to the end of the virus body and then the virus attaches itself to a file. Time stamp of infected file is not modified except for seconds value - it is set to 60. Some programs that are bigger than 400k and some packed programs could become unusable after infection. When infected files are copied to floppy disk they appear to be clean.
The virus has the following text strings:
'This is a pretty lame virus, I only released it' 'coz I wanted to infect some ppl.' 'Messev - Screwed version.' 'If I don't pass... f*ck it! SKLSUX!' 'My gun will be your angel of mercy!' '[ DEMANUFACTURE - FEAR FACTORY ]
The virus uses anti-debugging tricks. It halts keyboard and if it fails performs a trick with stack values and writes garbage to DOS Boot record. This could happen if the program is debugged inaccurately.
The stealth procedure of the virus hides all signs of virus presence in infected objects. When archivers (ARJ.EXE, PKZIP.EXE, LHA.EXE and RAR.EXE), CHKDSK or TBSCAN are executed the virus disables its stealth routines.
Technical Details: Alexey Podrezov, Szor Peter, F-Secure, 1997