Messev

Classification

Malware

Virus

W32

Messev

Summary

The Messev.3158 is an encrypted resident stealth virus that infects COM and DOS EXE files. Besides it acts as a dropper to Gwar boot virus. Messev virus is encrypted with a variable key. Number of possible key variants is 255.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Messev installs itself to memory using the last MCB block and immediately passes control to its body there. First the virus traces Int 13h and Int 21h. Then the virus tries to infect hard disk with Gwar boot virus. It uses direct calls to Int 13h and Int 21h handlers during this procedure.

To safely infect MBR the virus tries to delete Windows 95 floppy device driver HSFLOP.PDR located in \System\IOSubSys folder, but there's an error in the virus and this never happens. The virus checks for presence of Gwar in memory and if it is not present the hard disk in infected - the original MBR is copied to 0/0/2 (h/t/s) and the Gwar is copied to 0/0/1 (h/t/s). Because of this trick logical hard disks become inaccessible when booting from a system diskette.

After dropping the Gwar the virus traps Int 13h and Int 21h. Then it gets attributes of C:\COMMAND.COM, and passes control to original infected file code.

COM and DOS EXE files are infected by Messev on access. The original 12 bytes from the file start are copied to the end of the virus body and then the virus attaches itself to a file. Time stamp of infected file is not modified except for seconds value - it is set to 60. Some programs that are bigger than 400k and some packed programs could become unusable after infection. When infected files are copied to floppy disk they appear to be clean.

The virus has the following text strings:

 'This is a pretty lame virus, I only released it'
 'coz I wanted to infect some ppl.'
 'Messev - Screwed version.'

'If I don't pass... f*ck it! SKLSUX!'
 'My gun will be your angel of mercy!'
 '[ DEMANUFACTURE - FEAR FACTORY ]

The virus uses anti-debugging tricks. It halts keyboard and if it fails performs a trick with stack values and writes garbage to DOS Boot record. This could happen if the program is debugged inaccurately.

The stealth procedure of the virus hides all signs of virus presence in infected objects. When archivers (ARJ.EXE, PKZIP.EXE, LHA.EXE and RAR.EXE), CHKDSK or TBSCAN are executed the virus disables its stealth routines.