Marburg has the following effects:

• It infects PE files, causing their size to increase by 8,000 bytes.
• When a file is run at the same time when the infection took place, Marburg displays a presentation screen. This screen consists of several Windows error icons (a red circle and a white cross):
  
  

Marburg has the following infection routine:

• Before infecting the files, Marburg deletes the following data corresponding to certain antivirus: Anti-vir.dat, chklist.ms, avp.crc and ivb.ntz. In addition, the virus checks the file names and does not infect files containing the letter V, as well as those belonging to Panda, F-prot and Scan.
• Firstly, it searches for the functions GetModuleHandleA and GetProcAddress. Then it searches for other 22 functions.
• During the infection process the virus uses a method similar to the one used by Win32/Cabanas. This means that it scans the table imported for the GetModuleHandleA and GetProcAddress files and proceeds to store this information in the virus code. If these entries do not exist, the KERNEL32 code will be scanned.
• When an infected file is executed, the virus searches for the KERNEL32 routines.
• If the virus cannot find the KERNEL32 functions, it returns to the code of the original file. Anyway, it always reserves a block of system memory and copies its code to it (this code is needed for its polymorphic features) and finds files to infect.

This virus uses several techniques in order to make detection and disinfection more difficult. In this sense, the following acitons are carried out:

• Replaces the address at the beginning of the PE header.
• It saves the instruction that refers to the jump to the virus (in the address at the beginning of the file) and it does not modify the file header.
• It writes a junk polymorphic routine in the entry point followed by the command that refers to the jump to the virus.

Marburg does not spread automatically using its own means. It needs the attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Marburg is 7,848 bytes in size.

In addition, it contains the following text in its code:

GetModuleHandleA GetProcAddress CreateFileA CreateFileMappingA
MapViewOfFile UnmapViewOfFile CloseHandle FindFirstFileA FindNextFileA
FindClose VirtualAlloc GetWindowsDirectoryA GetSystemDirectoryA
GetCurrentDirectoryA SetFileAttributesA SetFileTime DeleteFileA
GetCurrentProcess WriteProcessMemory LoadLibraryA GetSystemTime GetDC
LoadIconA DrawIcon

[ Marburg ViRuS BioCoded by GriYo/29A ]
KERNEL32.dll USER32.dll"