Crazy Imp Virus
Virus Name: Crazy Imp
Aliases: Imp
V Status: Rare
Discovery: January, 1992
Symptoms: .COM file growth; decrease in total system and available free
memory; file time may disappear
Origin: Unknown
Eff Length: 1,445 Bytes
Type Code: PRtCK - Parasitic Resident .COM Infector
Detection Method: Sweep, ViruScan, F-Prot, AVTK, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The Crazy Imp virus was submitted in January, 1992. Its origin or
point of isolation are unknown. Crazy Imp is a memory resident
stealth virus which infects .COM programs, including COMMAND.COM.
If the Crazy Imp virus is memory resident, anti-viral programs will
not be able to detect it on programs as this virus disinfects
programs as they are read into memory.
The first time a program infected with the Crazy Imp virus is
executed, the Crazy Imp virus will install itself memory resident at
the top of system memory but below the 640K DOS boundary. Interrupt
12's return will have been moved. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have decreased
by 4,096 bytes. Interrupts 1C and 21 will be hooked by the virus
in memory. The program pointed to by the COMSPEC environment
variable, usually COMMAND.COM, will also be infected at this time
if it was not previously infected by the Crazy Imp virus.
Once the Crazy Imp virus is memory resident, it will infect .COM
programs when they are executed or opened. When the virus is
memory resident, they will not appear to have any file length
increase as the virus hides the file length increase. When the
virus is not memory resident, infected programs will have a file
length increase of 1,445 bytes with the virus being located at the
end of the infected file. The following text strings can be found
in the viral code in infected programs when the virus is not
memory resident:
"Crazy imp"
"v2.0"
As indicated earlier, Crazy Imp is a stealth virus which infects
programs when they are opened or executed, hides the file length
increase, and disinfects programs as they are read into memory.
Execution of an anti-viral program which is not aware of this
virus can result in the infection of all .COM programs on the
system without any changes being detected on the infected files.
If you think you have this virus, power off the system and reboot
from a write-protected, uninfected system diskette, and then check
the system for the virus or changes to files.
It is unknown if Crazy Imp does anything besides replicate.
Known variant(s) of Crazy Imp are:
Crazy Imp-1402: Also known as Crazy Imp v1.5, Crazy Imp-1402
is an earlier version of the Crazy Imp virus described
above. Its size in memory is 6,144 bytes, hooking
interrupts 1C, 21, and 22. Once memory resident, it
infects .COM programs, including COMMAND.COM, when they
are executed or opened. Infected programs will have
a file length increase of 1,402 bytes with the virus
being located at the beginning of the file. The file
length increase, however, is hidden by the virus when
it is memory resident. The file date and time in the
DOS disk directory will appear to be unaltered, or
may "disappear". The seconds field in the file time
will have been set to "62". The following text strings
are visible within the Crazy Imp-1402 viral code:
"Crazy imp"
"v1.5"
Origin: Unknown December, 1992.
Crazy Imp-B: Functionally similar to the original Crazy Imp
virus, this variant has two bytes which differ.
Origin: USSR August, 1992.