Virus Name: Sleepwalker
V Status: Rare
Discovered: September, 1993
Symptoms: .COM file growth; decrease in total system & available free
memory; file time changed to 10:47a
Eff Length: 1,268 - 1,282 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: AVTK, F-Prot, IBMAV, Sweep, ViruScan,
NAV, NAVDX, VAlert, PCScan, ChAV,
AVTK/N, Sweep/N, NShld, NProt, IBMAV/N, Innoc, NAV/N
Removal Instructions: Delete infected files
The Sleepwalker virus was submitted in September, 1993, and is from
Australia. Sleepwalker is a memory resident virus which infects
.COM programs, including COMMAND.COM.
When the first Sleepwalker infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, hooking interrupts 1C and 21. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 1,552 bytes. Interrupt 12's return
will not have been moved.
Once the Sleepwalker virus is memory resident, it will infect .COM
programs, including COMMAND.COM, when they are executed or opened.
Infected programs will have a file length increase of 1,268 to 1,282
bytes with the virus being located at the end of the file. The
file's date in the DOS disk directory listing will not be altered,
but the file time will have been altered to "10:47a". The following
text strings are visible within the Slime viral code:
"Sleepwalker. (c) OPTUS 1993."
It is unknown what Sleepwalker does besides replicate.