Virus Name: Chemmy
V Status: Rare
Discovery: February, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
Eff Length: 1,691 - 1,706 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, ChAV,
NAV, NAVDX, VAlert, PCScan,
Sweep/N, NShld, Innoc, AVTK/N, IBMAV/N, NAV/N, LProt
Removal Instructions: Delete infected files
The Chemmy virus was received in February, 1992. Its origin is
unknown. Chemmy is a memory resident infector of .COM and .EXE
programs, including COMMAND.COM.
When the first Chemmy infected program is executed, the Chemmy
virus installs itself memory resident at the top of system memory
but below the 640K DOS boundary. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have decreased
by 3,392 bytes. Interrupt 12's return will not have been moved.
Interrupt 22 will be hooked by the Chemmy virus in memory.
After the Chemmy virus is memory resident, it will infect .COM and
.EXE programs when they are copied. The source file will not be
infected, only the target becomes infected. Programs infected with
the Chemmy virus will have a file length increase of 1,691 to
1706 bytes with the virus being located at the end of the infected
program. The file's date and time in the DOS disk directory listing
will not be altered.
Chemmy is an encrypted virus, and no text strings are visible within
the viral code in infected programs.
It is unknown what Chemmy may do besides replicate.
Known variant(s) of Chemmy are:
Chemmy-B: Chemmy-B is a minor variant of the Chemmy virus, and
is functionally equivalent.
Origin: Unknown February, 1992.