Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Holms

This is a strongly polymorphic, parasitic EXE and COM infector with length of 6161 bytes. From the point of view of strategy it belongs to so called “slow” viruses. Viruses of this category do not hurry to reproduce in the host computer. They wait patiently till the user’s vigilance weakens, or till suitable conditions for hardly recognizable spreading are formed. Only after this “incubator period” the viruses fully unfold their abilities. To do so the virus Holms saves information about infection time and about the outlook of the original file. After that it comes to a rather non-typical process of infecting: the virus creates a copy of the file it wants to infect, but gives it a randomly generated name without extension. The virus deletes the original file, infects the copy, and finally gives it the name of the original file. At any execution of the infected file in the future it first checks the date. If the program was not altered and it is the 17th day of a month, or if three weeks from the infection have passed, the virus will install its resident part into memory and start replication. If the program was altered, the virus does not wait a starts to replicate immediately. It must be said that when infecting, the virus avoids COMMAND.COM. In the virus body are the following texts:

PATH=COMMAND COMEXE*.*
Copyright 1989 - 1992 version 1.05-NC for antivirus program debugging.

and near the end there is the word “Holms.”, after which the virus was named. If you press both left and right SHIFT on the keyboard the virus starts to play a melody from the movie “Sherlock Holmes and Dr. Watson”. The virus occasionally simulates pressing CTRL-BREAK.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.