| Alias: | Demovirus G&H |
| Strain: | |
| detected when: | February 1991 |
| where: | Germany |
| Classification: | Program virus: Non-resident COM infector |
| Length: | 1247 bytes |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.11 and upwards |
| Computer model(s): | IBM PC and compatibles |
| Caroname: | Gliss |
Attributes | |
| Easy identification: | The virus displays a message (in German) every time it infects a file. The message en- compasses a whole screen and includes in- formation on the virus (its length wrongly stated as 1.000 bytes, and virus' behaviour, the author's address as well as advertise- ment for a brochure on PC security. You must press a key before the message goes away. |
Type of Infection: | The virus infects COM files on diskette drive A in direct action and does not go resident. Six bytes are changed in the beginning of the file (the jump to the virus) and the rest is appended to the file. |
| Infection Technique: | |
| Infection Trigger: | Execution of an infected program |
| Storage Media affected: | Only the physical drive A: (in most cases: first floppy drive). |
| Interrupts hooked: | INT 13 for a short time; it is not used for infection or damage. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | |
| Damage Trigger: | Every time an infected program is run. |
| Particularities: | 1) Checks if the drive is a logical drive by seeing whether DOS uses BIOS to access the disk. Virus checks to see if the text has been changed, by building a checksum over the text; if text was changed, the virus terminates. 2) This virus was produced by a computer security firm in Germany (near Cologne) and sold for a nominal fee (50 DM) by mail-order; the virus was advertised in a German Data Protection monthly as educa- tional. Only after German Information Security Agency (GISA)'s intervention, the distribution was stopped after apparently a few copies were sent out (with major de- mand unsaturated); in another advertisement the virus was officially withdrawn. 3) Even though the names of firm and authors are known and even displayed on screen, VTC anonymizes it by given only the initials as long as virus is not further distributed. |
| Similarities: | --- |
Agents | |
| Countermeasures: | (no contemporary scanner finds this virus) - ditto - successful . --- |
| Standard means: | When seeing message, replace infected program with original (non-infected) version. |
Acknowledgements | |
| Location: | Virus Test Center, University of Hamburg, FRG |
| Classification by: | Morton Swimmer |
| Documentation by: | Morton Swimmer |
| Date: | 15-July-1991 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg