There are 16 variants in 5 versions, represented by the following:
When the virus is run, it infects the first uninfected DOS executable by inserting its code to the beginning of the file and placing the original code to the end of the file.
Some variants may infect files located in other directories, but they do not look for the second or their child directories.
Virdem.463, 792, 824 and 1336.c and 1542
These variants infect the first uninfected file for each run, they would search for more files in other directories to infect.
Virdem.792 does not infect C:\COMMAND.COM, but it would look for drives A: and B:.
Virdem.601 and 1336.f
These variants look for files in drive D: to infect, if this drive letter is unassigned or is assigned to a read-only media (e.g. CD-ROM drive), they would fail to infect.
Virdem.601 would infect C:\COMMAND.COM.
This variant first infects C:\COMMAND.COM, sets a counter starting from 0, and then it infects the first uninfected file. If the total number of infected file is 9 (excluding COMMAND.COM), the virus will no longer infect any files.
This variant only infects files that are located in the root directory (C:), instead of any other directories.
Virdem.1336.a, b, e, g and h
These variants infect files in floppy disk drive A:, except the first file.
Virdem.463, 601, 824, 836 and 1336.c
These variants do not manifest themselves.
This variant would destroy the file allocation table in A: and B: if there are disks inserted.
When an infected program is run on Monday, the virus displays an ASCII bug at the top of the screen moving from the left to right.
Virdem.1336.a, b, e, f, g and h
After the virus infects a file, it displays a number guessing game with the following message:
VirDem Ver.: 1.06 (Generation #) aktive. Copyright by R.Burger 1986,1987 Phone.: D - 05932/5451 This is a demoprogram for computerviruses. Please put in a number now. If you're right, you'll be able to continue. The number is between 0 and x
Where x is the generation number of the virus. If the user guesses the wrong number, it displays the message, and the host program will not be run:
Sorry, you're wrong More luck at next try
If the user guesses right, it displays the message:
Famous. You're right. You'll be able to continue.
After all possible files have been infected, it displays the message:
All your programs are struck by VIRDEM.COM now.
For Virdem.1336.b, e, g and h, the texts are displayed in German.
Some variants may display different message but with the same meaning. Additionally, Virdem.1336.f may hang the system after the user guessed the right number.
Except C:\COMMAND.COM, if there is no more files to infect in the entire disk, the virus displays a graphical effect with colorful ASCII art.
This is the only variant that would show this graphical effect.
This family has 16 variants in total:
- Virus.DOS.Virdem.1336 (A to I)
The author of Virdem, Ralf Burger, is also the author of the book, "Computer Viruses: A High-Tech Disease". He presented the working model of Virdem to the Chaos Computer Club, an underground hacker forum, in Germany. Most of the forum members were interested in the VAX/VMS platform, but they still took interest in the idea of a virus. Burger is quoted as saying about viruses that "used properly may bring about a new generation of self-modifying computer operating systems".
Virdem.1136.c has been identified as Virdem.Killer, which has slightly different text strings.
Variants of this virus were being created as late as 1993, about 6 to 7 years after the original was created.
Virdem.463 contains the internal text strings:
Virdem.601 contains the internal text string:
Virdem.792, 824, 1336 (A to I) and 1542 contain the internal text strings:
*.com ????????exe ????????com
The variants of Virdem.1336 also contain the internal text string of the infected filename.
Additionally, Virdem.1542 also contains the internal text string:
- F-Secure Virus Descriptions: Virdem
- Description of Virdem on Online VSUM
- The Virus Information Service, Virdem Virus. Jim Bates, June 1990