%%File: VIRS0347.TXT
%%Name/Aliases: EM
%%Platform: PC/MS-DOS
%%Type: Program., 
%%Disk Location: EXE application.
%%Features: Encrypted, Direct acting., Infects files on C: drive only!
%%Damage: Corrupts system sector containing file directory entry., 
Corrupts a program or overlay files.
%%Size: 1303 bytes long.
%%See Also: 
%%Notes: 
The following notes are extracted from VB, July 1995:

EM  is 1303 bytes long, encrypted virus that appeared in Russia.

The virus has two forms. The first form is a 1303 byte file called 
EM.COM which a COM file and its executed whenever DOS processes 
AUTOEXEC.BAT at load time. The second form is the usual EXE file 
appender.

The EM.COM is activated each time the system is booted. The first 
activity is to check the date, and if the date is 28 th, then the 
trigger routine is activated,  otherwise it infects 10 EXE file on C: 
drive. On every  reboot, EXE files are infected until all are infected.
On the 28th day on any month, EM delivers its payload. The virus scans 
the subdirectory  tree of the C: drive, then it obtains the address of 
subdirectories, and finally  corrupts each entry name. It overwrites the 
name of each entry  with a 'SPACE' character  ( Data inside the file are 
not changed).  The result is  that DOS can not access these entries, 
since DOS does not support the space character in names. Using DIR 
command all entries are displayed with 'SHORTENED NAME'.

Restoring data files with corrupt names should be simple, just using  
the 'RENAME ' command. The AUTOEXEC.BAT file should be cleaned by 
removing  the line the contains 'em' (i.e. preventing EM.COM from 
execution by DOD). As for the EXE files, they must be identified and 
replaced under clean system condition.


For more info about the EM virus,  read the VB article about this 
particular virus.