Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: Win16

No platform description


Technical Details

This is a parasitic virus that "stays resident" under Windows and Windows95, hooks disk file access and infects DOS EXE files. This is multipartite virus, because it affects two different platforms - Windows and DOS. The virus does not infect neither Portable Executable (PE) nor New Executable (NE) Windows EXE files, but stays in Windows as a VxD driver to intercept and infect DOS EXE files. So, the virus does not infect Windows files, but Windows memory, and it does not infect DOS memory, but does infect DOS EXE files.

When an infected DOS EXE file is executed, the virus only drops its VxD (the GOLLUM.386 file), registers it in the Windows SYSTEM.INI file, returns to the host program and does not perform any other action. When Windows is starting, it loads this virus VxD, the virus takes control, hooks V86 interrupts chain and then infects DOS EXE files. The GOLLUM.386 dropper has 6592 bytes of length, while infecting it adds 7167 bytes to DOS EXE files.

Infected DOS EXE File

The virus in DOS EXE file is encrypted by NOT (XOR 0FFh) instruction. So, when an infected file is executed, the virus takes control and decrypts itself. The loop of decryption command contains a silly anti-debugging trick, and one should be careful while analyzing the virus code.

The virus then looks for Windows SYSTEM.INI file. There are five names that are used by virus:

If there are no such files, the virus does not drop its VxD and returns to the host program. Otherwise it creates the GOLLUM.386 file (virus VxD) in the Windows directory and inserts into the SYSTEM.INI file the command that loads this VxD:
This command is inserted into [386Enh] section - the virus searches for string "[386" and writes that command to there:
SYSTEM.INI before    and after infection
...                  ...
[386Enh]             [386Enh]
mouse=*vmd           DEVICE=GOLLUM.386
The virus does not drops its VxD twice - it scans the SYSTEM.INI file for the string "GOLLU" and terminates infection routine if this string is found.

Virus in VxD File

Virus VxD (the GOLLUM.386 file) has LE (Linear Executable) format. DOS EXE stub in this file contains a short routine that switches to standard text video mode and displays the text:
The LE part of this file contains the installation routine that gets and stores startup path (to use in infection routine), hooks INT 21h (V86 interrupt chain), INT 21h handler, infection routine and virus DOS EXE code. The INT 21h virus handler intercepts three calls: Load and Execute (4B00h), Terminate (4C00h) and Change Directory (3Bh).

When a file is executed, the virus only saves its name and returns control. The infection routine gets control on Terminate call. At first the virus checks the file name. It infects the files only on C: drive and does not infect the files SCAN*.*, F-PR*.*, TB*.* (SCAN, F-PROT, ThunderByte-related programs) as well as files with name that contains 'V' letter or digits. The virus also does not infect the files with length less than 7167 bytes.

The virus then opens the file, reads and checks its header. The virus checks the EXE stamp (MZ at file beginning) and NewExe flags, but fails and in some cases infects NewExe files as DOS EXE. That may corrupt files. To prevent duplicate infection the virus compares the CRC field (offset 12h in EXE header) with two bytes - 52h 43h (ASCII "RC").

The virus then infects the file in a standard way that is used by majority of DOS viruses - it writes its code (DOS and VxD parts) to the end of the file and modifies EXE header (entry point and stack initial values, module size and identificator "RC"). To avoid code/data access violation while writing VxD part the virus copies it from GOLLUM.386 in startup path that was stored while installing virus VxD.

The infection routine is complete, and the virus closes the file as well as restores file attributes and file date and time stamp.

Trigger Routines

While installing on June 4th the virus sends a system message with the text that forces Windows to display this text as a system error message:
GoLLuM ViRuS by Griyo/29A
Deep down here by the dark water lived old Gollum, a small slimy
creature. I dont know where he came from, nor who or what he was. He
was a Gollum -as dark a darkness, except for two big round pale eyes
in his thin face.
J.R.R. ToLkieN ... The HoBBit
Press any key to continue
On selecting a directory (INT 21h Change Directory call) the virus gets the system timer and depending on its value (with probability 1/256) creates the GOLLUM.EXE file in the current directory and copies its VxD GOLLUM.386 to there. When this EXE file is executed under DOS, the DOS stub routine displays:
To avoid detection by anti-virus integrity checkers the virus deletes their databases: ANTI-VIR.DAT, CHKLIST.TAV, CHKLIST.MS, AVP.CRC, IVB.NTZ.

The virus also contains the strings:

GoLLuM ViRuS for Microsoft Windows by GriYo/29A

Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.