McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• QMU

• QQ-1513

Characteristics

QMU.1513 is a memory resident, multi-partite virus. It infects the Master Boot Record (MBR)/Boot Sector as well as .COM files, including COMMAND.COM.

Upon infection, QMU becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR) of 2,080 bytes. Interrupts 13 and 21 are hooked. Interrupt 12's return is moved. At this time, QMU also infects the MBR, moving the original boot sector to the second side 0, cylinder 0, sector 2, and writing a full copy of the virus starting in sector 3.

If the system is later booted from the infected hard disk, the virus becomes memory resident at the top of system memory but below the 640K DOS boundary.

Once QMU is memory resident, it infects .COM files as they are executed.

It is not known what QMU does besides replicate.

Additional Comments:
The QMU virus was submitted in November, 1991. QMU is a memory resident infector of the hard disk master boot sector (partition table) as well as .COM programs, including COMMAND.COM. Its origin is unknown. When the first QMU infected program is executed on a system, QMU will become memory resident as a low system memory TSR of 2,080 bytes. The TSR will have hooked interrupts 13 and 21. At this time, QMU will also infect the hard disk master boot sector, moving the original master boot sector to the second side 0, cylinder 0, sector 2, and writing a full copy of the virus starting in sector 3. If the system is later booted from the infected hard disk, the virus will become memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 5,120 bytes. Interrupts 13 and 21 will be hooked. Interrupt 12's return will have been moved. Once QMU is memory resident, it will infect .COM programs when they are executed. Infected programs will have a file length increase of 1,513 bytes. The virus will be located at the end of infected files. The infected program's date and time in the DOS disk directory will have been updated to the current system date and time when infection occurred. Text strings found in infected files include the boot sector error messages normally found in the boot sector, along with the following string: "Bad command or file name" It is unknown what QMU does besides replicate.

Symptoms

Text strings found in infected files include the boot sector error messages normally found in the boot sector, along with the following string:

"Bad command or file name"

Total system and available free memory decreases by 5,120 bytes. Infected files have a file length increase of 1,513 bytes. The virus is located at the end of infected files. The infected file's date and time in the DOS disk directory is updated to the system date and time of infection.

Method of Infection

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal

-

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• QMU

• QQ-1513

Characteristics

Characteristics -

QMU.1513 is a memory resident, multi-partite virus. It infects the Master Boot Record (MBR)/Boot Sector as well as .COM files, including COMMAND.COM.

Upon infection, QMU becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR) of 2,080 bytes. Interrupts 13 and 21 are hooked. Interrupt 12's return is moved. At this time, QMU also infects the MBR, moving the original boot sector to the second side 0, cylinder 0, sector 2, and writing a full copy of the virus starting in sector 3.

If the system is later booted from the infected hard disk, the virus becomes memory resident at the top of system memory but below the 640K DOS boundary.

Once QMU is memory resident, it infects .COM files as they are executed.

It is not known what QMU does besides replicate.

Additional Comments:
The QMU virus was submitted in November, 1991. QMU is a memory resident infector of the hard disk master boot sector (partition table) as well as .COM programs, including COMMAND.COM. Its origin is unknown. When the first QMU infected program is executed on a system, QMU will become memory resident as a low system memory TSR of 2,080 bytes. The TSR will have hooked interrupts 13 and 21. At this time, QMU will also infect the hard disk master boot sector, moving the original master boot sector to the second side 0, cylinder 0, sector 2, and writing a full copy of the virus starting in sector 3. If the system is later booted from the infected hard disk, the virus will become memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 5,120 bytes. Interrupts 13 and 21 will be hooked. Interrupt 12's return will have been moved. Once QMU is memory resident, it will infect .COM programs when they are executed. Infected programs will have a file length increase of 1,513 bytes. The virus will be located at the end of infected files. The infected program's date and time in the DOS disk directory will have been updated to the current system date and time when infection occurred. Text strings found in infected files include the boot sector error messages normally found in the boot sector, along with the following string: "Bad command or file name" It is unknown what QMU does besides replicate.

Symptoms

Symptoms -

Text strings found in infected files include the boot sector error messages normally found in the boot sector, along with the following string:

"Bad command or file name"

Total system and available free memory decreases by 5,120 bytes. Infected files have a file length increase of 1,513 bytes. The virus is located at the end of infected files. The infected file's date and time in the DOS disk directory is updated to the system date and time of infection.

Method of Infection

Method of Infection -

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

-

Variants

Variants -

N/A