Virus Name: Gremlin
V Status: Rare
Discovered: May, 1991
Symptoms: .COM & .EXE growth; system slowdown; file dates may disappear;
Eff Length: 1,146 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, NAV, Sweep, AVTK,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N,
Removal Instructions: Delete infected files
The Gremlin, or Greemlin, virus was submitted in May, 1991 by the
PCVRF. This virus is a memory resident infector of .COM and .EXE
files, including COMMAND.COM. Its origin is unknown.
The first time a program infected with Gremlin is executed, the
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Interrupt 12's return is
not moved. The virus will hook interrupts 08 and 21.
Once Gremlin is memory resident, it will infect .COM and .EXE files
when they are executed. If COMMAND.COM is executed, it will become
infected. Infected files increase in length by 1,146 bytes with the
virus being located at the end of the program. The increase in file
length will be hidden by the virus if Gremlin is memory resident.
The program's time in the disk directory will disappear if it was
The text string "greemlin" can be found in all infected programs.
Infected systems may notice a slight slowdown in speed of
Gremlin is a destructive virus. It contains code to overwrite
sectors on the A:, B:, and C: drives on June 14th of any year.