Virdem

Last updated May 08, 2024

Virdem was a file virus for MS-DOS. It was the first file virus.^[1] It was written by Ralf Burger in 1986 as a demonstration program for Chaos Computer Club conference. The virus spreads by attaching to files with the .COM file extension. It is one of the oldest viruses for MS-DOS computers.^[2]

Infection and symptoms

Virdem overwrites the host with its own code and save the original program at the very end. It was a direct-action virus and did not spread fast.^{[ failed verification ]} It only infected files that had a COM extension.^[5] When an infected file is run, the next uninfected program becomes infected.

When infected, small COM files, less than 11k, grows by 2559 bytes and larger files grow by 1336 bytes. Infected programs asks to guess a number between 0 and n where #^{[ non sequitur ]} is the generation number of the virus plus one. If you guess correctly, the program runs if not, it returns to DOS.

Technical details

It doesn't intercept interrupt 24h so a write-protected disk will give an "Abort, Retry, Ignore" message. Read-only files are set to read/write, infected and then not set back to read-only. The virus had two NOP instructions at the beginning of the file.^[6]

Related Research Articles

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behaviour will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on exploiting the advantages of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

A boot sector is the sector of a persistent data storage device which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware.

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

A COM file is a type of simple executable file. On the Digital Equipment Corporation (DEC) VAX operating systems of the 1970s, .COM was used as a filename extension for text files containing commands to be issued to the operating system. With the introduction of Digital Research's CP/M, the type of files commonly associated with COM extension changed to that of executable files. This convention was later carried over to DOS. Even when complemented by the more general EXE file format for executables, the compact COM files remained viable and frequently used under DOS.

The EICAR Anti-Virus Test File or EICAR test file is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and Computer Antivirus Research Organization (CARO) to test the response of computer antivirus (AV) programs. Instead of using real malware, which could cause real damage, this test file allows people to test anti-virus software without having to use a real computer virus.

Abraxas, also known as Abraxas5, discovered in April 1993, is an encrypted, overwriting, file infecting computer virus which infects .COM and .EXE files, although it does not infect command.com. It does not become memory resident. Each time an infected file is executed, Abraxas infects the copy of dosshell.com located in the C:\DOS directory, as well as one EXE file in the current directory. Due to a bug in the virus, only the first EXE file in any directory is infected.

Acme is a computer virus which infects MS-DOS EXE files. Each time an infected file is executed, Acme may infect an EXE in the current directory by creating a hidden 247 byte long read-only COM file with the same base name. Acme is a variant of Clonewar, a spawning virus. Acme is also perhaps a descendant of the small single-step infector Zeno, which is not to be confused with the Zeno programming language.

AIDS is a DOS computer virus which overwrites COM files.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident, and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

Ontario is a family of computer viruses, named after its point of isolation, the Canadian province of Ontario. This family of computer virus consists of Ontario.1024, Ontario.512 and Ontario.2048. The first variant Ontario.512 was discovered in July 1990. Because Ontario.1024 was also discovered in Ontario, it is likely that both viruses originate from within the province. By the Ontario.2048 variant, the author had adopted "Ontario" as the family's name and even included the name "Ontario-3" in the virus code.

CTX is a computer virus created in Spain in 1999. CTX was initially discovered as part of the Cholera worm, with which the author intentionally infected with CTX. Although the Cholera worm had the capability to send itself via email, the CTX worm quickly surpassed it in prevalence. Cholera is now considered obsolete, while CTX remains in the field, albeit with only rare discoveries.

<span class="mw-page-title-main">Stoned (computer virus)</span> Computer virus

Stoned is a boot sector computer virus created in 1987. It is one of the first viruses and is thought to have been written by a student in Wellington, New Zealand. By 1989 it had spread widely in New Zealand and Australia, and variants became very common worldwide in the early 1990s.

4k is a computer virus which infects COM files and EXE files. The virus was one of the first file infectors to employ stealth tactics. Infected systems will hang, after September 22 every year, which is also the date of birth of Bilbo Baggins, a character from The Lord of the Rings. The code was intended to display the message Frodo Lives, but hangs in all known variants.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">Happy99</span> Windows computer worm and early e-mail virus

Happy99 is a computer worm for Microsoft Windows. It first appeared in mid-January 1999, spreading through email and usenet. The worm installs itself and runs in the background of a victim's machine, without their knowledge. It is generally considered the first virus to propagate by email, and has served as a template for the creation of other self-propagating viruses. Happy99 has spread on multiple continents, including North America, Europe, and Asia.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

References

↑ Bhargav, Abhay (2010-09-14). Secure Java: For Web Application Development. CRC Press. ISBN 978-1-4398-2356-9.
↑ Skoudis, Ed; Zeltser, Lenny (2004). Malware: Fighting Malicious Code. Prentice Hall Professional. ISBN 978-0-13-101405-3.
↑ Salomon, David (2010-08-05). Elements of Computer Security. Springer Science & Business Media. ISBN 978-0-85729-006-9.
↑ Danesh, Arman; Lau, Felix; Mehrassa, Ali (2002). Safe and Secure: Secure Your Home Network, and Protect Your Privacy Online. Sams Publishing. ISBN 978-0-672-32243-3.
↑ Szor, Peter (2005-02-03). The Art of Computer Virus Research and Defense. Pearson Education. ISBN 978-0-672-33390-3.
↑ Solomon, Alan (2012-12-06). PC Viruses: Detection, Analysis and Cure. Springer Science & Business Media. ISBN 978-1-4471-1031-6.

External links

Malware Example: VIRDEM.COM

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Bhargav, Abhay (2010-09-14). Secure Java: For Web Application Development. CRC Press. ISBN 978-1-4398-2356-9.

[2] Skoudis, Ed; Zeltser, Lenny (2004). Malware: Fighting Malicious Code. Prentice Hall Professional. ISBN 978-0-13-101405-3.

[3] Salomon, David (2010-08-05). Elements of Computer Security. Springer Science & Business Media. ISBN 978-0-85729-006-9.

[4] Danesh, Arman; Lau, Felix; Mehrassa, Ali (2002). Safe and Secure: Secure Your Home Network, and Protect Your Privacy Online. Sams Publishing. ISBN 978-0-672-32243-3.

[5] Szor, Peter (2005-02-03). The Art of Computer Virus Research and Defense. Pearson Education. ISBN 978-0-672-33390-3.

[6] Solomon, Alan (2012-12-06). PC Viruses: Detection, Analysis and Cure. Springer Science & Business Media. ISBN 978-1-4471-1031-6.

[1]

[2]

[3]

[4]

[5]

[6]