Emmie Virus


 Virus Name:  Emmie 
 Aliases:    
 V Status:    Rare 
 Discovered:  May, 1992 
 Symptoms:    .COM file growth; decrease in total system & available free 
              memory; characters typed on the keyboard may be repeated, 
              file allocation errors 
 Origin:      Israel 
 Eff Length:  2,702 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, AVTK, Sweep, F-Prot, ChAV, 
                    IBMAV, NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Emmie virus was discovered in Israel in May, 1992.  It is a 
       memory resident virus which infects .COM programs, including 
       COMMAND.COM, employing stealth techniques to avoid detection. 
 
       The first time a program infected with the Emmie virus is executed, 
       the Emmie virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Interrupt 12's 
       return will not have been moved.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have decreased 
       by 2,752 bytes.  Interrupts 01, 09, 10, 17, and 21 will be hooked 
       by Emmie in memory.  COMMAND.COM will also be infected at this 
       time, if not previously infected by the virus. 
 
       Once the Emmie virus is memory resident, it may infect .COM 
       programs when they are opened.  It does not infect programs when 
       they are executed.  Programs infected with the Emmie virus will 
       have a file length increase of 2,702 bytes with the virus being 
       located at the end of the file.  The file length increase will not 
       be visible if Emmie is memory resident.  The program's date and time 
       in the DOS disk directory listing will not be altered. 
 
       The following text strings can be found within the viral code in 
       Emmie infected programs: 
 
               "My name is Emmie, I am Eddie's sister." 
               ".com .COM" 
               "It'll tire you too much." 
 
       Systems infected with the Emmie virus will notice that CHKDSK will 
       return file allocation errors on infected files when the virus is 
       memory resident.  The virus will also occassionally repeat a 
       character entered on the system keyboard two times. 
 
       Known variant(s) of Emmie are: 
       Emmie.2823: Received in February, 1995, Emmie 2823 is a 2,823 
           byte variant of the Emmie virus described above.  Its size in 
           memory is 5,520 bytes, hooking interrupts 01, 08, 09, 10, 17, 
           and 21.  It infects all of the .COM files in the current 
           directory larger than the virus itself when the virus becomes 
           memory resident, as well as infecting .COM files when they are 
           executed.  Infected .COM files will have a file length increase 
           of 2,823 bytes, though this increase will be hidden when the 
           virus is memory resident.  The following text strings are 
           encrypted within the viral code: 
           ".com .COM" 
           "It'll tire you too much." 
           "My name is Emmie, I am Eddie's sister. 03/24/92" 
           Emmie.2823 will cause some characters typed on the system 
           keyboard to be repeated when the virus is memory resident. 
           Origin:  Unknown  February, 1995.

Show viruses from discovered during that infect .

Main Page