Online VSUM - Ieronim Virus

Ieronim Virus

Virus Name: Ieronim Aliases: Ieronim-570 V Status: Rare Discovered: October, 1992 Symptoms: .COM file growth; decrease in total system and available free memory; file date/time changes Origin: USSR Eff Length: 570 Bytes Type Code: PRtC - Parasitic Resident .COM Infector Detection Method: Sweep, ViruScan, AVTK, IBMAV, F-Prot, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, IBMAV/N, NAV/N Removal Instructions: Delete infected files General Comments: The Ieronim, or Ieronim-570, virus was received in October, 1992. It is from the USSR. Ieronim is a memory resident infector of .COM programs, but not COMMAND.COM. The first time a program infected with the Ieronim virus is executed, the Ieronim virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 576 bytes. Interrupts 08 and 21 will be hooked by Ieronim in memory. Once memory resident, the Ieronim virus will infect .COM programs when they are executed. Infected programs will have a file length increase of 570 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text strings are visible within the viral code in all Ieronim infected programs: "comcommand" "Mulier pulchra est janua diaboli" "via iniquitatis,scorpionis percussio." "St. Ieronim" The Ieronim virus will occassionally display the follwoing message when it is memory resident, usually accompanied by a system hang: "Mulier pulchra est janua diaboli via iniquitatis,scorpionis percussio. "St. Ieronim" Known variant(s) of Ieronim are: Ieronim-512: A 512 byte variant of the Ieronim virus described above, this variant's size in memory is approximately 1K. It hooks interrupts 08, 20, and 21. Once resident, Ieronim-512 infects .COM programs, but not COMMAND.COM, when they are executed. Infected programs will have a file length increase of 512 to 1,023 bytes with the virus being located at the beginning of the file. Only 512 bytes of the file length increase is the actual viral code, the remainder of the file length increase is padding at the end of the file with a portion of the host program code. Once a file has been initially infected with Ieronim-512, its file length will be a multiple of 1,024 bytes. The file's date and time in the DOS disk directory listing will have been updated to the current system date and time. Ieronim-512 is not able to determine when a program has been previously infected by the virus, so programs may be reinfected, adding an additional 512 bytes with each reinfection. The following text strings are visible within the viral code in Ieronim-512 infected programs: "command" "Mulier pulchra est janua diaboli," "via inquitatis,scorpionis percussio." "St. Ieronim" The virus will occassionally display the last three text string as a message, accompanied by beeping, when an infected program is executed. Origin: USSR December, 1992. Ieronim-560: A 560 byte variant of the Ieronim virus described above, this variant's size in memory is approximately 1K. It hooks interrupts 08, 20, and 21. Once resident, Ieronim-560 infects .COM programs, but not COMMAND.COM, when they are executed. Infected programs will have a file length increase of 560 to 1,119 bytes with the virus being located at the beginning of the file. Only 560 bytes of the file length increase is the actual viral code, the remainder of the file length increase is padding at the end of the file with a portion of the host program code. Once a file has been initially infected with Ieronim-560, its file length will be a multiple of 560 bytes. The file's date and time in the DOS disk directory listing will not be altered. Ieronim-560 is not able to determine when a program has been previously infected by the virus, so programs may be reinfected, adding an additional 560 bytes with each reinfection. The following text strings are visible within the viral code in Ieronim-560 infected programs: "command" "Mulier pulchra est janua diaboli," "via inquitatis,scorpionis percussio." "St. Ieronim" The virus may occassionally display the last three text strings as a message, accompanied by beeping, when an infected program is executed. Origin: USSR December, 1992. Ieronim-600: Based on the Ieronim virus described above, this variant's size in memory is 608 bytes, hooking interrupts 08 and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 600 bytes to their length. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. It contains the same text as the original virus, and like the original virus, will display the message indicated above occassionally when the virus is memory resident. Origin: USSR December, 1992. Ieronim.1020: Based on the Ieronim virus described above, this variant's size in memory is 3,072 bytes, hooking interrupts 08 and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 1,020 bytes to their length. The virus will be located at the beginning of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". The following text strings are encrypted within the viral code: "Mulier pulchra est janua diaboli," "via iniquitatis,scorpionis percussio." "St. Ieronim" "Beautiful woman is a devil's entrance," "a way of misfortunes,a scorpion's bite" "St. Ieronim" "5command3" After Ieronim.1020 has been memory resident for some time, it will display the following message in a box on the left center portion of the system display, and hang the system: "Beautiful woman is a devil's entrance, a way of misfortunes,a scorpion's bite St. Ieronim" Beeping from the system speaker may also occur at this time. Origin: Unknown July, 1995. Ieronim.1024: Based on the Ieronim virus described above, this variant's size in memory is 3,072 bytes, hooking interrupts 1C and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 1,024 bytes to their length. The virus will be located at the beginning of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". No text strings are visible within the viral code. Origin: Unknown July, 1995. Ieronim.1082: Based on the Ieronim virus described above, this variant's size in memory is 4,096 bytes, hooking interrupts 09 and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 1,082 bytes to their length. The virus will be located at the beginning of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". The following text strings are encrypted within the viral code: "OMOƒˆTE!" "command" Execution of some programs may result in the virus clearing the system display and displaying a red box containing the first text string above. After a few seconds, another block will be displayed below the first box, in violet, which contains text which is most likely in an eastern european language. After a few more seconds, the original program display is restored. The purpose hear appears to be to interfer with some utilities which look at the interrupt table and other areas of system memory. Origin: Unknown July, 1995. Ieronim-1581: Based on the Ieronim virus described above, this variant's size in memory is 1,584 bytes, hooking interrupts 08 and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 1,581 bytes to their length. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time. The following text strings can be found within the viral code in all Ieronim-1581 infected programs: "command" "Le voyage de condom" After Ieronim-1581 has been memory resident for awhile, it will scroll the system display and emit an occassional beep until the system is reset. No message is displayed. Origin: USSR December, 1992. Ieronim II.1166: Based on the Ieronim virus described above, this variant's size in memory is 4,096 bytes, hooking interrupts 08 and 21. It infects .EXE programs when they are executed, adding 1,166 to 1,677 bytes to their length. The large range of file lengths is due to the manner in which this variant infects .EXE files. It first adds pads the host program so it will have a file length which is an increment of 512 bytes, then adds 1,166 bytes of viral code. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "Mulier pulchra est janua diaboli," "via iniquitatis,scorpionis percussio." "St. Ieronim" "Beautiful woman is a devil's entrance," "a way of misfortunes,a scorpion's bite" "St. Ieronim" Beeping may occur after the virus has been resident for some period of time. Origin: Unknown July, 1995.