The Dual_GTM virus is in the wild and has been reported in France during May 1995. It is memory resident COM and EXE file infector. Programs are infected when they are executed.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
Dual_GTM avoids infecting EXE files whose name begin with SCAN, CLEA and QBAS. It's COM infection routine is buggy and multiple infections of the same COM file are possible.
The code of the virus presents some irritating characteristics - the virus tries to avoid heuristic scanners by doing it's things in non-obvious way. For example, when it wants to move value 4200 to a register, it will first move 4201 and then decrease the value of the register by one.
The virus activates on the 20th of March if the year is greater than 1993. At this time the virus beeps and displays slowly the text: "Beware of the BUG !!!". After this the virus hangs the machine. Otherwise the activation routine is harmless; Dual_GTM's main danger lies in its buggy infection routine that can corrupt the files it infects.
Do note that since member of the Dual_GTM family corrupt some EXE files while infecting them, these files will not work correctly even after they have been disinfected.
Technical Details:Pierre Vandevenne, DataRescue S.P.R.L, Belgium