Virus Name: Dichotomy
V Status: New
Discovered: September, 1994
Symptoms: .COM & .EXE growth; file date/time seconds = "62";
decrease in total system & available free memory;
Eff Length: 863 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, AVTK, Sweep, IBMAV,
NAVDX, VAlert, NAV, PCScan, ChAV,
IBMAV/N, NShld, AVTK/N, Sweep/N, NProt, NAV/N, LProt,
Removal Instructions: Delete infected files
The Dichotomy virus was received in September, 1994. Its origin or
point of isolation is unknown. Dichotomy is a memory resident
infector of .COM and .EXE files, including COMMAND.COM.
When the first Dichotomy infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary, not moving interrupt 12's return. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will have decreased by 1,072 bytes. Interrupt 21 will be
hooked by the virus in memory.
Once the Dichotomy virus is memory resident, it will infect .COM and
.EXE files when they are executed. Infected programs will have a file
length increase of 863 bytes with the virus being located at the end
of the file. The program's date and time in the DOS disk directory
listing will not appear to be altered, though the seconds field will
have been set to "62". The following text strings are visible within
the viral code in all Dichotomy infected programs:
"(c) 1994 Evil Avatar"
The Dichotomy virus infects .EXE files as though they are .COM files.
As a result, system hangs may occur when infected .EXE programs are