Lemming Virus
Virus Name: Lemming
Aliases: Keeper.Lemming, Lemming.2144
V Status: New
Discovered: July, 1995
Symptoms: .COM & .EXE file growth; file date/time seconds = "60" or "62";
decrease in available free memory
Origin: Unknown
Eff Length: 2,144 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, VAlert, ViruScan, Sweep, NAVDX, NAV,
IBMAV, PCScan, ChAV,
NShld, Sweep/N, NAV/N, IBMAV/N, AVTK/N, NProt, LProt,
Innoc 4.0+
Removal Instructions: Delete infected files
General Comments:
The Lemming virus was received in July, 1995. Its origin or point
of isolation is unknown. This virus is a memory resident stealth
virus which infects .COM and .EXE files, including COMMAND.COM.
When the first Lemming infected program is executed, this virus
will install itself memory resident at the top of system memory
but below the 640K DOS boundary, not moving interrupt 12's return.
Available free memory, as indicated by the DOS CHKDSK program from
DOS 5.0, will have decreased by 4,320 bytes. Interrupt 21 will be
hooked by the virus in memory.
Once the Lemming virus is memory resident, it will infect .COM and
.EXE files, including COMMAND.COM, when they are executed or
opened. Infected files will have a file length increase of 2,144
bytes, though this file length increase will not be visible when
the virus is memory resident. The viral code will be located at the
end of the file. The program's date and time in the DOS disk
directory listing will not be altered, however the seconds field
will have been set to either "60" or "62" on all infected files. The
following text strings are encrypted within the viral code:
"You Will Never Trust Anti-Virus Software Again!!"
"ThunderByte-1994-Australia."
"ver 1.0"
"[HiTMaN]"
"TBAVTBSCANNAVVSAFEFPROT"
"COMcomEXEexe"
This virus may interfer with the functionality of some anti-virus
program versions.
Known variant(s) of Lemming are:
Lemming.2146: Also received in July, 1995, this is a 2,146 byte
variant of the Lemming virus described above. Its size in
memory is 4,416 bytes, hooking interrupt 21. Infected files
will have a file length increase of 2,146 bytes, though this
file length increase will be hidden when the virus is memory
resident. The virus will be located at the end of the file.
Like Lemming, this variant sets the seconds field in the DOS
disk directory file date/time to "60" or "62". The following
text strings are encrypted within the viral code:
"SPTBDRV Never Trust Anti-Virus Software Again!!"
"ThunderByte-1994-[HiTMaN]."
"TBAVTBSCANNAVVSAFEFPROT"
"COMcomEXEexe"
"DOS OWN"
This variant appears to only become memory resident from .EXE
files.
Origin: Unknown July, 1995.
Lemming.2151: Also received in July, 1995, this is a 2,151 byte
variant of the Lemming virus described above. Its size in
memory is 4,320 bytes, hooking interrupt 21. Infected files
will have a file length increase of 2,151 bytes, though this
file length increase will be hidden when the virus is memory
resident. The virus will be located at the end of the file.
Like Lemming, this variant sets the seconds field in the DOS
disk directory file date/time to "60" or "62". The following
text strings are encrypted within the viral code:
"TBDRV"
"The Rise and Fall of ThunderByte-1994-Australia."
"You Will Never Trust Anti-Virus Software Again!!"
"[LEMMING] ver .99"
"TBAVTBSCANNAVVSAFEFPROT"
"COMcomEXEexe"
Attempting to execute programs from a write-protected diskette
will result in write-protect errors with this variant.
Origin: Unknown July, 1995.
See: Keeper