Fandom

Malware Wiki

Virdem

1,328pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.Virdem is a parasitic virus on DOS. It was the first file infecting virus on this system, and it appeared almost a year after the distribution of the Pakistani Brain boot sector virus.

There are 16 variants in 5 versions, represented by the following:

  • Virus.DOS.Virdem.463
  • Virus.DOS.Virdem.601
  • Virus.DOS.Virdem.792
  • Virus.DOS.Virdem.1336
  • Virus.DOS.Virdem.1542

BehaviorEdit

When the virus is run, it infects the first uninfected DOS executable by inserting its code to the beginning of the file and placing the original code to the end of the file.

Some variants may infect files located in other directories, but they do not look for the second or their child directories.

Virdem.463, 792, 824 and 1336.c and 1542Edit

These variants infect the first uninfected file for each run, they would search for more files in other directories to infect.

Virdem.792 does not infect C:\COMMAND.COM, but it would look for drives A: and B:.

Virdem.601 and 1336.fEdit

These variants look for files in drive D: to infect, if this drive letter is unassigned or is assigned to a read-only media (e.g. CD-ROM drive), they would fail to infect.

Virdem.601 would infect C:\COMMAND.COM.

Virdem.833Edit

This variant first infects C:\COMMAND.COM, sets a counter starting from 0, and then it infects the first uninfected file. If the total number of infected file is 9 (excluding COMMAND.COM), the virus will no longer infect any files.

Virdem.836Edit

This variant only infects files that are located in the root directory (C:), instead of any other directories.

Virdem.1336.a, b, e, g and hEdit

These variants infect files in floppy disk drive A:, except the first file.

PayloadEdit

Virdem.463, 601, 824, 836 and 1336.cEdit

These variants do not manifest themselves.

Virdem.792Edit

This variant would destroy the file allocation table in A: and B: if there are disks inserted.

Virdem.833Edit

When an infected program is run on Monday, the virus displays an ASCII bug at the top of the screen moving from the left to right.

Virdem.1336.a, b, e, f, g and hEdit

After the virus infects a file, it displays a number guessing game with the following message:

VirDem Ver.: 1.06 (Generation #) aktive.
Copyright by R.Burger 1986,1987
Phone.: D - 05932/5451

This is a demoprogram for
computerviruses. Please put in a
number now.
If you're right, you'll be
able to continue.
The number is between
0 and x

Where x is the generation number of the virus. If the user guesses the wrong number, it displays the message, and the host program will not be run:

Sorry, you're wrong
More luck at next try

If the user guesses right, it displays the message:

Famous. You're right.
You'll be able to continue.

After all possible files have been infected, it displays the message:

All your programs are 
struck by VIRDEM.COM now.

For Virdem.1336.b, e, g and h, the texts are displayed in German.

Some variants may display different message but with the same meaning. Additionally, Virdem.1336.f may hang the system after the user guessed the right number.

Virdem.1542Edit

Except C:\COMMAND.COM, if there is no more files to infect in the entire disk, the virus displays a graphical effect with colorful ASCII art.

This is the only variant that would show this graphical effect.

VariantsEdit

This family has 16 variants in total:

  • Virus.DOS.Virdem.463
  • Virus.DOS.Virdem.601
  • Virus.DOS.Virdem.792
  • Virus.DOS.Virdem.824
  • Virus.DOS.Virdem.833
  • Virus.DOS.Virdem.836
  • Virus.DOS.Virdem.1336 (A to I)
  • Virus.DOS.Virdem.1542

Other detailsEdit

The author of Virdem, Ralf Burger, is also the author of the book, "Computer Viruses: A High-Tech Disease". He presented the working model of Virdem to the Chaos Computer Club, an underground hacker forum, in Germany. Most of the forum members were interested in the VAX/VMS platform, but they still took interest in the idea of a virus. Burger is quoted as saying about viruses that "used properly may bring about a new generation of self-modifying computer operating systems".

Virdem.1136.c has been identified as Virdem.Killer, which has slightly different text strings.

Variants of this virus were being created as late as 1993, about 6 to 7 years after the original was created.

Virdem.463 contains the internal text strings:

*.com
IRUS

Virdem.601 contains the internal text string:

*.com

Virdem.792, 824, 1336 (A to I) and 1542 contain the internal text strings:

*.com
????????exe
????????com

The variants of Virdem.1336 also contain the internal text string of the infected filename.

Additionally, Virdem.1542 also contains the internal text string:

a:\lo*.*

ReferencesEdit

F-Secure Antivirus, F-Secure Virus Descriptions : Virdem.

Online VSUM, Virdem Virus.

Jim Bates. The Virus Information Service, Virdem Virus. 1990.06

VideosEdit

Virdem DOS Virus00:31

Virdem DOS Virus

Virdem virus review by danooct1

Virus.DOS01:02

Virus.DOS.Virdem

Virdem virus review by Alles Sandro

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.