Threat Description

Matra R-440

Details

Category: Other
Type: Other
Platform: N/A
Aliases: Matra R-440, April fools joke

Summary


There is no virus by this name. However, there was a widespread April Fools joke distributed discussing a hypotethical virus by this name. The actual message consisted of several other well-known hoax message.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The actual message was posted to several newsgroups on 29th of March, 1997, and looked like this:

 From: Kenhert    Subject: !!!!!!!! VIRUS ALERT !!!!!!!!!!    Date: Sat, 29 Mar 1997 06:16:23 GMT    !!! Virus Alert !!!    Matra R-440 Crotale Virus     The Virus (or Viruses, rather)     The worlds first multi-platform, multi-environment, and    multi-sytems virus surfaced in Missouri on March 14, 1997. It    was written in Pakistan by a group called Intollerant I-Rads.    It seems to have been written by some extremely talented    people. The extrodinary thing about it is it can infect any    system and any OS and any chipset. It is not just one virus,    but rather a series of them with an identical purpose.       The first virus was sent about 3,000 people world wide via    email. It is not a self-starting trojan as some people believe    these types of things are, but rather a document attached to    the email. This version of the virus is a MacroTrojan. It was    sent to people using Netscape Navigator Mail and because    Netscapes mail supports HTML tags they just used a simple tag    that would autoload the DOC. The document containes the macros    AARTS0, NTYAAA, PayLoad, and AutoOpen. When the document is    opened the virus becomes active and infects all other    documents opened after that the original. It then writes its    code to the boot sector so it automatically loads with any    type of reboot. From then it infects any COM/EXE file opened.    Also, the next time you send someone email the virus uses the    Netscape address book to send itself to anyone you've ever    sent e-mail to.        The second virus distributes itself on the modem sub-carrier    present in all newer modems. The sub-carrier is used for ROM    and register debugging purposes only, and otherwise serves no    other purpose. The virus sets a bit pattern in one of the    internal modem registers. A modem that has been "infected"    with this virus will then transmit the virus to other modems    that use a subcarrier. The virus then attaches itself to all    binary incoming data and infects the host computer's hard    disk. The only way to get rid of this virus is to completely    reset all the modem registers by hand.        The third virus is the last known version of this virus. This    virus works on the same principles of the second version    instead it travels through powerlines. It gets into the line    by traveling on the 60 Hz sub-carrier. It works by reversing    the I/O port pinouts thus achieving control over the CPU and    the rest is history.        Sole Purpose    It seems that this is a rather, actually, extremely    distructive virus. Although it may enter you system    differently, once inside it behaves the exact same way. The    virus contains the text "(c)1997 by Intollerant I-Rads. All    rights reserved. Unauthorized reproduction is prohibited by    law." and "Matra R-440 Virus, the Almighty!". The virus has a    self-changing encryption algorythm, so every time it is    written to disk it appears differently, making it nearly    impossible to detect. When a computer is booted up the virus    automatically loads before command.com trapping 13h disabling    any virus scanner that might be loaded after command.com. It    then checks the real time clock using 17Ah, if it returns that    the date is Jan. 6 then the virus becomes activated.     Any time after Jan. 6 the virus will become active if the    computer is left idle for 30 minutes. The virus then displays    the message, "Do not turn off you computer until this virus is    finished working on your hard drive or you will lose    everything." What the virus is doing is encrypting all the    data on the drive with XOR. While it is encrypting the data    this virus does one of two things. It either focuses part of    the cathode ray beam in your monitor, burning a hole in your    screen, or it modifies the horizontal scan frequency of you    multisync CRT so that the monitors begins to overheat. This in    turn causes the monitor case to melt! The next thing the virus    does is gain access to the basic functions of your IDE    controller and reversing the spin of your hard disk.        Solution    We have yet to discover a solution for this virus and we are    working around the clock at it. But PLEASE! Befor you do    anything else. Send this message to everyone you know, so that    they may take whatever precautions they feel nessary.    Dr. Kenhert, Cambridge University        

Ignore this message and do no pass it on.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More