Ymir Virus

Virus Name: Ymir Aliases: Ymir.101 V Status: Viron Discovered: January, 1996 Symptoms: .COM file corruption; file date/time changes; message displayed; boot failures Origin: Unknown Eff Length: 101 Bytes Overwriting Type Code: ONCK - Overwriting Non-Resident .COM Infector Detection Method: IBMAV, ViruScan, NAV, NAVDX, ChAV, AVTK, F-Prot, IBMAV/N, NShld, NAV/N, AVTK/N, Innoc Removal Instructions: Delete infected files General Comments: The Ymir or Ymir.101 virus was received in January, 1996, along with one variant, Ymir.144. Ymir is a non-resident overwriting virus which infects .COM files, including COMMAND.COM. It permanently corrupts the programs it infects. When a program infected with the Ymir virus is executed, this virus will infect one .COM file located in the current directory. The following message is then displayed on the system monitor and the user is returned to the DOS prompt: "Program too big to fit in memory" Programs infected with the Ymir virus will have the first 101 bytes of the host program overwritten by the Ymir viral code. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text strings are visible within the viral code in all infected programs: "[YMiR]" "DHA 8/24/95" "Program too big to fit in memory" Systems infected with the Ymir virus will fail to boot once the boot copy of COMMAND.COM becomes infected. Known variant(s) of Ymir are: Ymir.144: Also received in January, 1996, this is a 144 byte variant of the Ymir virus described above, and is functionally similar except that the first 144 bytes of the host program are overwritten with the viral code. Origin: Unknown January, 1996.