Dreamer Virus

Virus Name: Dreamer Aliases: Hitler V Status: Rare Discovered: May, 1993 Symptoms: .COM file growth; decrease in total system & available free memory; "Hitler!" from system speaker; DOS CHKDSK file allocation errors Origin: Unknown Eff Length: 4,808 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: AVTK, F-Prot, ViruScan, Sweep, ChAV, NAV, IBMAV, NAVDX, VAlert, PCScan, NShld, Sweep/N, AVTK/N, NProt, NAV/N, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Dreamer, or Hitler, virus was submitted in May, 1993. Its origin or point of isolation is unknown. Dreamer is a memory resident infector of .COM programs, including COMMAND.COM, and is a "size stealth" virus as it hides the file length increase on infected files. When the first Dreamer infected program is executed, the Dreamer virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 1C and 21. Interrupt 12's return will not be moved. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 5,072 bytes. Once the Dreamer virus is memory resident, it will infect .COM programs, including COMMAND.COM, when they are executed. Infected programs will increase in size by 4,808 bytes, though the file length increase will be hidden by the virus when it is memory resident. The virus will be located at the end of the infected program. The file's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within the Dreamer viral code: "Hitler Virus by Dreamer/DY" After being memory resident for approximately 15 minutes, the Dreamer virus will activate. At this time the word "Hitler!" will be repeatedly emitted from the system speaker, and a system hang will occur.