The Dual_GTM virus is in the wild and has been reported in
France during May 1995. It is memory resident COM and EXE file
infector. Programs are infected when they are executed.
Dual_GTM avoids infecting EXE files whose name begin with
SCAN, CLEA and QBAS. It's COM infection routine is buggy and
multiple infections of the same COM file are possible.
The code of the virus presents some irritating
characteristics - the virus tries to avoid heuristic
scanners by doing it's things in non-obvious way. For
example, when it wants to move value 4200 to a register, it
will first move 4201 and then decrease the value of the
register by one.
The virus activates on the 20th of March if the year is
greater than 1993. At this time the virus beeps and displays
slowly the text: "Beware of the BUG !!!". After this the
virus hangs the machine. Otherwise the activation routine is
harmless; Dual_GTM's main danger lies in its buggy infection
routine that can corrupt the files it infects.
Do note that since member of the Dual_GTM family corrupt
some EXE files while infecting them, these files will not
work correctly even after they have been disinfected.
[Analysis: Pierre Vandevenne, DataRescue S.P.R.L, Belgium]
