W13 Virus
Virus Name: W13
Aliases: Toothless Virus
V Status: Endangered
Discovered: December, 1989
Symptoms: .COM growth
Origin: Poland
Eff Length: 534 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, F-Prot, AVTK, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, IBMAV/N,
NAV/N
Removal Instructions: F-Prot, NAV, or delete infected files
General Comments:
The W13 virus is a .COM file infector that doesn't do much except
for infect files. The virus was isolated in December 1989 in
Poland.
While W13 is based on the Vienna virus, it does not damage files or
have some of the other side effects of the Vienna virus. It
contains a number of bugs which prevent it from being a good
replicator.
Known variant(s) of W13 are:
Dushanbe: The Dushanbe variant is a 458 byte version of the W13
virus. It will infect one .COM file each time an infected
program is executed. Infected files will have a file
length increase of 458 bytes with the virus being located
at the end of the infected file. Each infected program will
have had the month in the file's date in the disk
directory changed to "13". Infected programs will contain
the following text strings:
"????????.COM"
"????????COM"
"DUSHANBE M&A!"
Origin: Unknown October, 1992.
W13-B: The original W13 virus with several bugs fixed. This
variants length is 507 bytes instead of 534 bytes.
W13-B2: A minor variant of W13-B, this variant has been altered
to avoid detection by a particular anti-viral utility. It
is not believed to be in the public domain.
Origin: Unknown October, 1993.
W13-B3: A minor variant of W13-B, this variant has been altered
to avoid detection by a particular anti-viral utility. It
is not believed to be in the public domain.
Origin: Unknown October, 1993.
W13-361: The W13-361 variant is a 361 byte version of the W13
virus. It will infect one .COM file each time an infected
program is executed. Infected files will have increased
in size by 361 bytes with the virus being located at
the end of the infected file. Each infected program will
have had the month in the file's date in the disk
directory changed to "13". System hangs will frequently
occur when programs infected with W13-361 are executed.
Infected programs will contain the text string:
"ctivated!"
Origin: Poland November, 1991.
W13-377: The W13-377 variant is a 377 byte version of the W13
virus. Like W13-361, it infects one .COM file each time
an infected program is executed, though the file length
increase will be 371 bytes. It also changes the file's
month in the file date to "13". The system hangs which
occur with W13-361 do not occur with this version. The
following text string can be found in infected programs:
"????????.COM".
Origin: Poland November, 1991.
W13-534B: The W13-534B variant is a 534 byte version of the W13
virus. It will infect one .COM file each time an infected
program is executed. The month in the file's date in the
DOS disk directory will have been changed to "13", which
is how the virus determines the file is infected. This
variant is a minor variant of the original W13. Like the
original virus, it contains several occurrences of the
text string "Microsoftyright" within the viral code.
Origin: Unknown May, 1992.
W13-534C: A minor variant of W13-534, this variant has been
altered to avoid detection by a particular anti-viral utility.
It is not believed to be in the public domain.
Origin: Unknown October, 1993.
W13-534D: A minor variant of W13-534, this variant has been
altered to avoid detection by a particular anti-viral utility.
It is not believed to be in the public domain.
Origin: Unknown October, 1993.
W13-534E: A minor variant of W13-534, this variant has been
altered to avoid detection by a particular anti-viral utility.
It is not believed to be in the public domain.
Origin: Unknown October, 1993.
W13-537: A minor variant of the W13 virus, this variant has been
altered to avoid detection by a particular anti-viral utility.
It is not believed to be in the public domain, and adds 537
bytes to the .COM programs it infects.
Origin: Unknown October, 1993.
W13.600: Received in January, 1996, this is a 600 byte variant
of the W13 virus. It infects one .COM file, including
COMMAND.COM, when an infected program is executed. Infected
files increase in size by 600 bytes with the virus being
located at the end of the file. The program's date and time
in the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"\ .COM"
"I am back... The world will hear from me again. Pray for
your disks NEW (c)W13 1994."
Origin: Unknown January, 1996.
W13-Req: The W13-Req variant is a 494 byte version of the W13
virus. It infects one .COM file each time an infected
program is executed. It contains the following text
strings:
"????????.com"
"????????COM"
"REQ ! Ltd (c) 18:41:22 3-I-1991"
Origin: Poland November, 1991.
See: Gipsy-304 Plumbum Vienna