VMem Virus


 Virus Name:  VMem   
 Aliases:    
 V Status:    Rare 
 Discovered:  May, 1992 
 Symptoms:    .COM & .EXE growth; VMEM.SYS hidden file created; CONFIG.SYS 
              altered; decrease in available free memory; file date changes; 
              system hangs 
 Origin:      Israel 
 Eff Length:  3,291 Bytes 
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, IBMAV, NAVDX, 
                    NAV, VAlert, ChAV, 
                    Innoc, NShld, Sweep/N, AVTK/N, IBMAV/N, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The VMem virus was isolated in Israel in May, 1992.  VMem is a 
       memory resident virus which employs stealth technology to avoid 
       detection by anti-viral utilities. 
 
       When the first VMem infected program is executed, the VMem virus 
       will create a hidden system file, VMEM.SYS, in the current drive's 
       root directory.  This hidden file will be 3,275 bytes in length 
       and have its date and time set to either all blanks or the current 
       system date and time.  Also at this time, the VMem virus will 
       update the CONFIG.SYS file in the root directory to add the 
       following line: 
 
               "device=\vmem.sys" 
 
       If CONFIG.SYS does not exist in the current drive's root directory, 
       the virus will create one containing the above line.  Once the 
       virus has completed this process, the program the user was attempting 
       to execute will run.  The virus is not yet memory resident. 
 
       The next time the user boots the system from a drive which has 
       had the VMEM.SYS program created and its CONFIG.SYS file updated, 
       the VMem virus will become memory resident as a device driver. 
       Available system memory, as indicated by the DOS CHKDSK program, 
       will have decreased by approximately 3,696 bytes.  Interrupt 21 
       will be hooked by VMem in memory. 
 
       After the VMem virus is memory resident, it will infect .COM and 
       .EXE programs when they are opened or executed.  Infected programs 
       will have a file length increase of 3,291 bytes with the virus 
       being located at the end of the file.  The program's date in the 
       DOS disk directory will have had its day set to "00".  The VMem 
       virus hides the file length increase and the change in the file 
       date's day when it is memory resident.  The following text strings 
       can be found in VMem infected files: 
 
               "DOS50VMS" or "DOS33VMS" 
               "LLP" 
 
       The following text strings are encrypted within the VMem virus and 
       are not visible in infected files: 
 
               "TERMINATOR" 
               "COMSPEC" 
               "VMEM" 
 
       Systems infected with the VMem virus may experience system crashes 
       when the virus is attempting to infect programs.  The DOS CHKDSK 
       program will not indicate file allocation errors on infected 
       programs.

Show viruses from discovered during that infect .

Main Page