Virus Name: DM
V Status: Rare
Discovered: November, 1991
Symptoms: .COM file growth; system hangs; write to system display of
Eff Length: 400 Bytes
Type Code: PRfCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, Sweep, AVTK, F-Prot, ChAV,
NAV, IBMAV, NAVDX, VAlert, PCScan,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, IBMAV/N,
Removal Instructions: Delete infected files
The DM, or DM-400, virus was received from Europe in November, 1991.
It is originally from the USSR. DM is a memory resident infector of
.COM files, including COMMAND.COM.
When the first program infected with DM is executed, the DM virus
will install itself memory resident in low available free memory,
directly remapping interrupts 21 and 24. It will also place a
portion of itself in system video memory, such as on a video card,
if it is available. Total system and available free memory, as
indicated by the DOS CHKDSK program, will not be altered.
Once the DM virus is memory resident, it will infect .COM programs,
including COMMAND.COM, when they are executed. Infected programs
will have a file size increase of 400 bytes with the virus being
located at the end of the infected file. There will be no visible
change to the file's date and time in the DOS disk directory
listing. The following text string can be found within all
A symptom of a DM infection is that attempts to execute programs
from write protected diskettes will result in a system hang with the
diskette drive being left spinning. The virus will also
occassionally write a copy of itself to the system display.
It is unknown what DM does besides replicate.
Known variant(s) of DM are:
DM-B: Also referred to as DM 1.01, DM-B is a 400 byte variant
of the original DM virus. It does not contain the "(C)1990 DM"
text string which is contained in the original virus.
Origin: USSR January, 1992.
DM 1.01B: Based on the DM-B variant, DM 1.01B is also 400 bytes
in length, and has been modified to avoid being detected by
most anti-viral utilities familiar with this group of viruses.
It contains the encrypted text string: "(C)1991 1.01 DM."
Origin: USSR September, 1992.
DM 1.04: DM 1.04 is a 400 byte variant of the original DM virus.
It infects .COM programs, including COMMAND.COM, when they are
executed. It does not contains the text string: "GIiokMO".
Origin: USSR July, 1992.
DM-330: Also referred to as DM 1.05, DM-330 is a 330 byte variant
of the DM-B virus. It will infect .COM programs when they are
executed or opened. It does not contain any identifying text
Origin: USSR June, 1992.