Threat Descriptions

PS-MPC

Classification

Category :

Malware

Type :

-

Platform :

-

Aliases :

PS-MPC

Summary

The PS-MPC program is not a virus, but a virus creation tool, which can be used to create similar, easily detected viruses - usually encrypted.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Abraxas, Alien, ARCV-1, Bamestra, Cinco, Eclypse, Gold, Jo, Kersplat, McWhale, Mimic, Page, Schrunch, Small-ARCV, Swansong, Tim, Walkabout, Warez, Z10

and approximately 200 other variants

Variant:Math-Test

The PS-MPC.Math-test virus was found from the CD-ROM disk "Software Vault, Collection 2" in October 1993. The infection was discovered when a private person from Helsinki, Finland, contacted F-Secure Ltd at the end of October. This person's computer was almost completely infected by the virus.

PS-MPC.Math-test is one of the viruses created with Phalcon/Skism Mass Produced Code Generator. The virus stays resident in memory and infects practically all executed COM and EXE programs. It activates every day between 9 and 10 a.m., displays some simple summing problems and demands that the user solve them. If the user doesn't get the answer right, the virus won't execute the requested program.

The infected file is located in the directory 18 of the CD-ROM, and it is contained inside the packet 64BLAZER.ZIP. The same directory contains also a clean version of the program, by the name 64BLAZE.ZIP.

[Math-test analysis: Mikko Hypponen, F-Secure]