Imi Virus


 Virus Name:  Imi       
 Aliases:     Imi.A, Imi.1536 
 V Status:    New 
 Discovered:  July, 1994 
 Symptoms:    .EXE file growth; TSR; file date/time changes 
 Origin:      Unknown 
 Eff Length:  1,536 - 1,550 Bytes 
 Type Code:   PRsE - Parasitic Resident .EXE Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, 
                    NAVDX, VAlert, PCScan, 
                    Sweep/N, AVTK/N, IBMAV/N, NShld, NProt, NAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Imi or Imi.A virus was received in July, 1994.  Its origin or 
       point of isolation is unknown.  A total of six viruses in the Imi 
       family were received initially, with the other five variants listed 
       below as Imi.B, Imi.C, Imi.D, Imi.E, and Imi.F.  While Imi infects 
       .EXE files, other variants of this virus will also infect .COM 
       files. 
 
       When the first Imi infected program is executed, this virus will 
       install itself memory resident as a low system memory TSR of 1,856 
       bytes.  Interrupts 21 and 22 will be hooked by the virus in memory. 
      
       Once the Imi virus is memory resident, it will infect .EXE programs 
       when they are executed.  Infected .EXE programs will have a file 
       length increase of 1,536 to 1,550 bytes with the virus being located 
       at the end of the file.  The program's date and time in the DOS disk 
       directory listing will have been updated to the current system date 
       and time when infection occurred.  The following text strings 
       are visible within the viral code in all Imi infected programs: 
             
               "Hello!This is IMI 1.0b.When you see these words," 
               "you have been infected the IMI 1.0b virus.This is just" 
               "for experiment.Please contact me immediately for cure." 
               "Fu-Jen U. E.E. Wilbur Dam.1993.4.8" 
               "WIMI 1.0b," 
               "Wilbur," 
 
       It is unknown what Imi may do besides replicate. 
 
       Known variant(s) of Imi are: 
       Imi.1536.G: Received in July, 1995, Imi.1536.G is based on the 
          Imi virus described above.  Its memory resident TSR is 1,840 
          bytes, hooking interrupt 22.  It infects .EXE files when they 
          are executed.  Infected files will have a file length increase 
          of 1,536 to 1,550 bytes with the virus being located at the end 
          of the file.  The file's date and time in the DOS disk directory 
          listing will have been updated to the current system date and 
          time when infection occurred.  The following text strings are 
          visible within the viral code: 
          "Hello! How is it?" 
          "This is ----Pandora III." 
          "Soochow University Business Administration Dep." 
          "Writen By Blood Mary   1994.10.08" 
          "Blood Mary" 
          Origin:  Unknown  July, 1995. 
       Imi.1538: Received in January, 1995, Imi.1538 is based on the 
          Imi virus described above.  Its in memory TSR is 1,856 bytes, 
          hooking interrupt 22.  It will infect .COM and .EXE programs, 
          but not COMMAND.COM, when they are executed.  Infected .COM 
          programs will have a file length increase of 1,538 bytes with 
          the virus being located at the beginning of the file.  Infected 
          .EXE programs will have a file length increase of 1,538 to 1,552 
          bytes with the virus being located at the end of the file.  The 
          following text strings are visible within the viral code: 
          "commandCOMMAND" 
          "Hello!This is IMI 1.0b virus!" 
          "OIMI" 
          Origin:  Unknown  January, 1995. 
       Imi.1656: Received in January, 1995, Imi.1656 is based on the 
          Imi virus described above.  Its in memory TSR is 1,968 bytes, 
          hooking interrupt 22.  It will infect .COM and .EXE programs, 
          but not COMMAND.COM, when they are executed.  Infected .COM 
          programs will have a file length increase of 1,656 bytes with 
          the virus being located at the beginning of the file.  Infected 
          .EXE programs will have a file length increase of 1,656 to 1,670 
          bytes with the virus being located at the end of the file.  The 
          following text strings are visible within the viral code: 
          "commandCOMMAND" 
          "Hello!This is IMI 1.0b virus!" 
          "OIMI 1.0b" 
          Imi.1656 may reinfect previously infected .COM files, adding an 
          additional 1,656 bytes with each reinfection. 
          Origin:  Unknown  January, 1995. 
       Imi.2304: Received in May, 1995, Imi.2304 is based on the 
          Imi virus described above.  Its in memory TSR is 1,888 bytes, 
          hooking interrupt 22.  It will infect .EXE programs when they are 
          executed.  Infected programs will have a file length increase of 
          2,304 to 2,318 bytes with the virus being located at the end of 
          the file.  The file's date and time in the DOS disk directory 
          listing will have been updated to the current system date and time 
          when infection occurred.  The following text strings are visible 
          within the viral code: 
          "Dark Satan Virus" 
          "(c) Copyright 1994 Written By Mad Satan in TAIWAN." 
          "Satan Ver 3.06" 
          "1994/04    - Mad Satan -" 
          "Mad Satan       Mad Satan" 
          Origin:  Taiwan  May, 1995. 
       Imi.B: Also received in July, 1994, Imi.B is based on the Imi 
          virus described above.  Imi.B will infect .COM programs in addition 
          to .EXE programs.  Infected .COM programs will have a file length 
          increase of 1,536 bytes with the virus being located at the 
          beginning of the file.  Infected .EXE programs will have a file 
          length increase of 1,536 to 1,550 bytes with the virus being 
          located at the end of the file.  The following text strings are 
          visible within the viral code in all infected programs: 
          "Hello!This is IMI 1.0b virus!" 
          "OIMI 1.0b" 
          Origin:  Unknown  July, 1994. 
       Imi.C: Also received in July, 1994, Imi.C is based on the Imi.B 
          virus described above.  Imi.C will infect .COM and .EXE programs, 
          but not COMMAND.COM.  Its in memory TSR is 1,840 bytes, hooking 
          interrupts 21 and 22.  Infected .COM programs will have a file 
          length increase of 1,536 bytes with the virus being located at the 
          beginning of the file.  Infected .EXE programs will have a file 
          length increase of 1,536 to 1,550 bytes with the virus being 
          located at the end of the file.  The following text strings are 
          visible within the viral code in all infected programs: 
          "commandCOMMAND" 
          "Hello!This is IMI 1.0b virus!" 
          "OIMI 1.0b" 
          Origin:  Unknown  July, 1994. 
       Imi.D: Based on Imi.C, this is a functionally similar variant, 
          with the exception that its in memory TSR is 1,856 bytes.  It 
          contains the same text strings. 
          Origin:  Unknown  July, 1994. 
       Imi.E: Based on Imi.D, this variant is functionally similar with 
          the exception that infected programs will not have their file 
          date and time in the DOS disk directory altered. 
          Origin:  Unknown  July, 1994. 
       Imi.F: Based on Imi.E, this variant is functionally similar. 
          Origin:  Unknown  July, 1994.

Show viruses from discovered during that infect .

Main Page