| Description:
|
Details
Gimon.2256
It is not a dangerous memory resident parasitic virus. When an infected file is executed, it installs itself into the system to activete itself each time DOS boots up. To do that the virus creates its dropper file (pure virus code) in the root of the C: drive and "registers" it in the C:CONFIG.SYS file by "install=" instruction. The name of virus dropper file has four random selected letters, for example: AOCJ.ICG, APCF.KCG, e.t.c. The virus then installs itself memory resident.
When the virus dropper runs, it does not installs the virus into the system memory but just creates the C:GBMONKEY.COM file and registers it in the C:WINSTART.BAT file. The virus dropper then exits to DOS.
While installing memory resident the virus hooks INT 21h and hooks file searching functions. The virus then infects COM, EXE and SYS files that are accessed by these functions. While infecting files the virus writes itself to the end of files and modifies file header. The virus also tries to infect OBJ files, but fails because of bugs.
The infected SYS files on October 10th display the message and halts the computer:
Gibraltar Monkey!
(A)bort, (R)etry, (I)gnore?
On March 8th the virus overwrites all accessed GIF files with an image of Gibraltar flag.
The virus also contains the text strings:
[Gibraltar Monkey, by Mister Sandman] |
