Chemmy Virus

Virus Name: Chemmy Aliases: V Status: Rare Discovery: February, 1992 Symptoms: .COM & .EXE growth; decrease in total system & available free memory Origin: Unknown Eff Length: 1,691 - 1,706 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, ChAV, NAV, NAVDX, VAlert, PCScan, Sweep/N, NShld, Innoc, AVTK/N, IBMAV/N, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The Chemmy virus was received in February, 1992. Its origin is unknown. Chemmy is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. When the first Chemmy infected program is executed, the Chemmy virus installs itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 3,392 bytes. Interrupt 12's return will not have been moved. Interrupt 22 will be hooked by the Chemmy virus in memory. After the Chemmy virus is memory resident, it will infect .COM and .EXE programs when they are copied. The source file will not be infected, only the target becomes infected. Programs infected with the Chemmy virus will have a file length increase of 1,691 to 1706 bytes with the virus being located at the end of the infected program. The file's date and time in the DOS disk directory listing will not be altered. Chemmy is an encrypted virus, and no text strings are visible within the viral code in infected programs. It is unknown what Chemmy may do besides replicate. Known variant(s) of Chemmy are: Chemmy-B: Chemmy-B is a minor variant of the Chemmy virus, and is functionally equivalent. Origin: Unknown February, 1992. See: Cheeba