The Win95/Marburg virus got widespread circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC CD-ROM game "Wargames".
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The CD contains one file infected by the Marburg virus:
\EREG\EREG32.EXE
MGM - the publisher of the game - made an announcment on this on 12th of August, 1998:
From: "K.Egan (MGM)" [kegan@mgm.com] Subject: MGM WarGames Statement Date: Wed, 12 Aug 1998 18:03:39 -0700 MGM Interactive recently learned that its WarGames PC game shipped with the Win32/Marburg.a virus contained in the electronic registration program. The company is working as fast as it can to resolve the problem ... MGM Interactive is committed to delivering top quality products to consumers. This is an unfortunate circumstance and we sincerely apologize for any convenience this has caused you. ... If you have any questions or if you would like to receive a replacement disc, please contact MGM Interactive.
The same virus also got widespread circulation in August 1998, when it was included on the cover CD of the Australian "PC Power Play" magazine.
This CD contains these files infected by the Marburg virus:
\GAMES\MAX2\MAX2BETA.EXE AND \GAMES\STARTREK\FURYDEMO.EXE.
In July 1998, the Win95/Marburg virus got yet again widespread circulation when it was included by accident on the cover CD of the UK-based PC Gamer Magazine's July 1998 edition. The infected files are on "CD Gamer 2" included with the magazine, and are called
\UTILS\XEARTH\XEARTH.EXE \UTILS\QPAINT\QPAINT.EXE \VIDEO\SMACKPLW.EXE
The SMACKPLW program is automatically executed if you watch any of the preview videos from the CD.
There are localized versions of the PC Gamer magazine in circulation in addition to the UK edition.
The Swedish edition has these files infected instead of the ones listed above:
\SHARE\3DJONG\M3DJONGG.EXE \PATCHAR\QUAKE2\Q2-315~8.EXE \SPEL\KKND2\DIRECTX\DDHELP.EXE
The Slovenian edition has the same infected files as the UK edition.
The Italian July/August edition is clean.
Marburg is a polymorphic Windows 95/98 virus which contains this text:
[ Marburg ViRuS BioCoded by GriYo/29A ]
Marburg infects Win32 EXE and SCR (screen saver) files, encrypting its own code with variable polymorphic encryption layer.
The polymorphic engine of the virus is advanced. It encrypts the virus with 8, 16 and 32 bit key with several different methods. The virus uses slow polymorphisism, which means that it changes the decryptor of itself very slowly.
Marburg deletes integrity databases of several anti-virus products. It also avoids infecting many known anti-virus product executable files, including any executable which has the letter "V" in its name. This is done to avoid triggering the self-check of these programs.
Marburg activates three months after initial infection. If an infected application is executed exactly on the same hour as the inital infection, the virus displays the standard Windows error icon (red cross in white circle) in random positions all over the screen.
See also: HPS
[Peter Szor and Mikko Hypponen, F-Secure, 1998]