Gollum
Gollum
Type File virus
Creator GriYo
Date Discovered 1997
Place of Origin Madrid, Spain
Source Language Assembly
Platform DOS, MS Windows
File Type(s) .exe
Infection Length 7,167 bytes

Gollum is a 16-it virus by GriYo. It can infect Windows and DOS .exe files. GriYo described it as the first DOS/Windows hybrid ever. It appeared in the second issue of 29A magazine. Gollum is named for a creature that appears in the "Lord of the Rings" book and movie series.

Table of Contents

Behavior

When Gollum is first executed, it drops the file GOLLUM.386 in the system folder. It adds the line 'DEVICE=GOLLUM.386' to the system.ini file (this file served a similar function to the registry in very early versions of Windows) ensuring it will be loaded as a device driver the next time the system starts.

When the system restarts, the virus becomes memory resident as a virtual device driver. Every time an .exe file is executed from a DOS window, the virus infects it appending its code to the file. The virus is encrypted with a simple NOT operation. In an effort to avoid antivirus products, it does not infect files with the letter "v", or beginning with "TB".

GoLLuM ViRuS by GriYo/29A
Deep down here by the dark water lived old
Gollum, a small slimy creature. I dont know 
where he came from, nor who or what he was.
He was a Gollum -as dark as darkness, except
for two big round pale eyes in his thin face.
J.R.R. ToLkieN ... The HoBBit

Gollum's payload deletes some antivirus database files including ANTI-VIR.DAT, CHKLIST.MS, AVP.CRC, IVB.NTZ and CHKLIST.TAV. It also drops a trojan named GOLLUM.EXE.

Origin

Gollum was coded by GriYo in Spain. It was complete some time in 1997. The virus appeared in issue 2 of 29A Magazine.

Name

Unlike most of GriYo's creations, this virus is not named after a plant or animal virus. A Gollum is a creature in the Lord of the Rings books. It is also a genus of shark and a species of freshwater fish found in New Zealand. The word may also be related to Golem, a stone or clay being from Jewish folklore.

Sources

GriYo. 29A Magazine, Issue 2, GoLLuM ViRuS.

McAfee Antivirus, GOLLUM.7167.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License