The Win95/Marburg virus got widespread circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC CD-ROM game "Wargames".
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
The CD contains one file infected by the Marburg virus:
MGM - the publisher of the game - made an announcment on this on 12th of August, 1998:
From: "K.Egan (MGM)" [email@example.com] Subject: MGM WarGames Statement Date: Wed, 12 Aug 1998 18:03:39 -0700 MGM Interactive recently learned that its WarGames PC game shipped with the Win32/Marburg.a virus contained in the electronic registration program. The company is working as fast as it can to resolve the problem ... MGM Interactive is committed to delivering top quality products to consumers. This is an unfortunate circumstance and we sincerely apologize for any convenience this has caused you. ... If you have any questions or if you would like to receive a replacement disc, please contact MGM Interactive.
The same virus also got widespread circulation in August 1998, when it was included on the cover CD of the Australian "PC Power Play" magazine.
This CD contains these files infected by the Marburg virus:
\GAMES\MAX2\MAX2BETA.EXE AND \GAMES\STARTREK\FURYDEMO.EXE.
In July 1998, the Win95/Marburg virus got yet again widespread circulation when it was included by accident on the cover CD of the UK-based PC Gamer Magazine's July 1998 edition. The infected files are on "CD Gamer 2" included with the magazine, and are called
\UTILS\XEARTH\XEARTH.EXE \UTILS\QPAINT\QPAINT.EXE \VIDEO\SMACKPLW.EXE
The SMACKPLW program is automatically executed if you watch any of the preview videos from the CD.
There are localized versions of the PC Gamer magazine in circulation in addition to the UK edition.
The Swedish edition has these files infected instead of the ones listed above:
\SHARE\3DJONG\M3DJONGG.EXE \PATCHAR\QUAKE2\Q2-315~8.EXE \SPEL\KKND2\DIRECTX\DDHELP.EXE
The Slovenian edition has the same infected files as the UK edition.
The Italian July/August edition is clean.
Marburg is a polymorphic Windows 95/98 virus which contains this text:
[ Marburg ViRuS BioCoded by GriYo/29A ]
Marburg infects Win32 EXE and SCR (screen saver) files, encrypting its own code with variable polymorphic encryption layer.
The polymorphic engine of the virus is advanced. It encrypts the virus with 8, 16 and 32 bit key with several different methods. The virus uses slow polymorphisism, which means that it changes the decryptor of itself very slowly.
Marburg deletes integrity databases of several anti-virus products. It also avoids infecting many known anti-virus product executable files, including any executable which has the letter "V" in its name. This is done to avoid triggering the self-check of these programs.
Marburg activates three months after initial infection. If an infected application is executed exactly on the same hour as the inital infection, the virus displays the standard Windows error icon (red cross in white circle) in random positions all over the screen.
See also: HPS
[Peter Szor and Mikko Hypponen, F-Secure, 1998]