Classification

Category: Malware

Type: Virus

Aliases: Marburg

Summary


The Win95/Marburg virus got widespread circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC CD-ROM game "Wargames".

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The CD contains one file infected by the Marburg virus:

\EREG\EREG32.EXE 	

	
 

MGM - the publisher of the game - made an announcment on this on 12th of August, 1998:

From: "K.Egan (MGM)" [kegan@mgm.com]
Subject: MGM WarGames Statement
Date: Wed, 12 Aug 1998 18:03:39 -0700
MGM Interactive recently learned that its WarGames PC game
shipped with the Win32/Marburg.a virus contained in the
electronic registration program. The company is working as
fast as it can to resolve the problem
...
MGM Interactive is committed to delivering top quality
products to consumers. This is an unfortunate circumstance and
we sincerely apologize for any convenience this has caused
you.
...
If you have any questions or if you would like to receive a
replacement disc, please contact MGM Interactive. 		 		

The same virus also got widespread circulation in August 1998, when it was included on the cover CD of the Australian "PC Power Play" magazine.

This CD contains these files infected by the Marburg virus:

\GAMES\MAX2\MAX2BETA.EXE AND
\GAMES\STARTREK\FURYDEMO.EXE. 		 		

In July 1998, the Win95/Marburg virus got yet again widespread circulation when it was included by accident on the cover CD of the UK-based PC Gamer Magazine's July 1998 edition. The infected files are on "CD Gamer 2" included with the magazine, and are called

\UTILS\XEARTH\XEARTH.EXE
\UTILS\QPAINT\QPAINT.EXE
\VIDEO\SMACKPLW.EXE 		 		

The SMACKPLW program is automatically executed if you watch any of the preview videos from the CD.

There are localized versions of the PC Gamer magazine in circulation in addition to the UK edition.

The Swedish edition has these files infected instead of the ones listed above:

\SHARE\3DJONG\M3DJONGG.EXE
\PATCHAR\QUAKE2\Q2-315~8.EXE
\SPEL\KKND2\DIRECTX\DDHELP.EXE 		 		

The Slovenian edition has the same infected files as the UK edition.

The Italian July/August edition is clean.

Marburg is a polymorphic Windows 95/98 virus which contains this text:

[ Marburg ViRuS BioCoded by GriYo/29A ] 	

	
 

Marburg infects Win32 EXE and SCR (screen saver) files, encrypting its own code with variable polymorphic encryption layer.

The polymorphic engine of the virus is advanced. It encrypts the virus with 8, 16 and 32 bit key with several different methods. The virus uses slow polymorphisism, which means that it changes the decryptor of itself very slowly.

Marburg deletes integrity databases of several anti-virus products. It also avoids infecting many known anti-virus product executable files, including any executable which has the letter "V" in its name. This is done to avoid triggering the self-check of these programs.

Marburg activates three months after initial infection. If an infected application is executed exactly on the same hour as the inital infection, the virus displays the standard Windows error icon (red cross in white circle) in random positions all over the screen.

See also: HPS

[Peter Szor and Mikko Hypponen, F-Secure, 1998]