Threat description




The Win95/Marburg virus got widespread circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC CD-ROM game "Wargames".


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The CD contains one file infected by the Marburg virus:



MGM - the publisher of the game - made an announcment on this on 12th of August, 1998:

From: "K.Egan (MGM)" []
Subject: MGM WarGames Statement
Date: Wed, 12 Aug 1998 18:03:39 -0700
MGM Interactive recently learned that its WarGames PC game
shipped with the Win32/Marburg.a virus contained in the
electronic registration program. The company is working as
fast as it can to resolve the problem
MGM Interactive is committed to delivering top quality
products to consumers. This is an unfortunate circumstance and
we sincerely apologize for any convenience this has caused
If you have any questions or if you would like to receive a
replacement disc, please contact MGM Interactive. 		 		

The same virus also got widespread circulation in August 1998, when it was included on the cover CD of the Australian "PC Power Play" magazine.

This CD contains these files infected by the Marburg virus:


In July 1998, the Win95/Marburg virus got yet again widespread circulation when it was included by accident on the cover CD of the UK-based PC Gamer Magazine's July 1998 edition. The infected files are on "CD Gamer 2" included with the magazine, and are called


The SMACKPLW program is automatically executed if you watch any of the preview videos from the CD.

There are localized versions of the PC Gamer magazine in circulation in addition to the UK edition.

The Swedish edition has these files infected instead of the ones listed above:


The Slovenian edition has the same infected files as the UK edition.

The Italian July/August edition is clean.

Marburg is a polymorphic Windows 95/98 virus which contains this text:

[ Marburg ViRuS BioCoded by GriYo/29A ] 	


Marburg infects Win32 EXE and SCR (screen saver) files, encrypting its own code with variable polymorphic encryption layer.

The polymorphic engine of the virus is advanced. It encrypts the virus with 8, 16 and 32 bit key with several different methods. The virus uses slow polymorphisism, which means that it changes the decryptor of itself very slowly.

Marburg deletes integrity databases of several anti-virus products. It also avoids infecting many known anti-virus product executable files, including any executable which has the letter "V" in its name. This is done to avoid triggering the self-check of these programs.

Marburg activates three months after initial infection. If an infected application is executed exactly on the same hour as the inital infection, the virus displays the standard Windows error icon (red cross in white circle) in random positions all over the screen.

See also: HPS

[Peter Szor and Mikko Hypponen, F-Secure, 1998]

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info