WereWolf Virus


 Virus Name:  WereWolf 
 Aliases:     WereWolf.658 
 V Status:    In the wild 
 Discovered:  January, 1996 
 Symptoms:    .EXE file growth 
 Origin:      Unknown 
 Eff Length:  658 - 674 Bytes 
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector 
 Detection Method:  ViruScan, AVTK, IBMAV, NAV, NAVDX, ChAV, PCScan, 
                    AVTK/N, IBMAV/N, NAV, Innoc, NShld 2.33+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The WereWolf or WereWolf.658 virus was received in January, 1996.  Its 
       origin or point of isolation is unknown, though it is reported to be 
       in the wild in North America.  WereWolf is a non-resident, direct 
       action infector of .EXE files. 
 
       When a program infected with the WereWolf virus is executed, this 
       virus will infect two .EXE files located in the current directory. 
       Infected files will have a file length increase of 658 to 674 bytes 
       with the virus being located at the end of the file.  The program's 
       date and time in the DOS disk directory listing will not be altered. 
       The following text strings are usually encrypted within the viral 
       code, though they will occassionally appear in unencrypted form: 
 
           "Home Sweap Home" 
           "(C)1994-95 WereWolf" 
           "*.MS" 
           "*.CPS" 
           "ANT*.DAT" 
 
       It is unknown what the WereWolf virus may do besides replicate. 
 
       Known variant(s) of WereWolf are: 
       WereWolf.684: Also received in January, 1996, this is a 684 byte 
           variant of the WereWolf virus described above.  It infects two 
           .EXE files each time an infected program is executed.  Infected 
           programs will have a file length increase of 684 to 700 bytes 
           with the virus being located at the end of the file.  The file's 
           date and time in the DOS disk directory listing will not be 
           altered.  The following text strings are encrypted within the 
           viral code: 
           "*.MS" 
           "*.CPS" 
           "ANT*.DAT" 
           "CLAWS (C)1994-95 WereWolf" 
           Origin:  Unknown  January, 1996. 
       WereWolf.685: Also received in January, 1996, this is a 685 byte 
           variant of the WereWolf virus described above.  It infects two 
           .EXE files each time an infected program is executed.  Infected 
           programs will have a file length increase of 685 to 701 bytes 
           with the virus being located at the end of the file.  The file's 
           date and time in the DOS disk directory listing will not be 
           altered.  The following text strings are encrypted within the 
           viral code: 
           "*.MS" 
           "*.CPS" 
           "ANT*.DAT" 
           "FANGS (C)1994-95 WereWolf" 
           Origin:  Unknown  January, 1996. 
       WereWolf.686: Received in May, 1996, this is a 686 byte variant 
           which has been reported to be "in the wild".  It infects two 
           .EXE files each time an infected program is executed.  Infected 
           programs will have a file length increase of 686 to 702 bytes 
           with the virus being located at the end of the file.  The file's 
           date and time in the DOS disk directory listing will not be 
           altered.  The following text strings are encrypted within the 
           viral code: 
           "*.MS" 
           "*.CPS" 
           "ANT*.DAT" 
           "FANGS  (C)1994-95 WereWolf" 
           Origin:  Unknown  May, 1996. 
       WereWolf.1361: Received in May, 1996, this is a 1,361 byte 
           memory resident size stealthing variant of the WereWolf virus. 
           It becomes memory resident at the top of system memory but below 
           the 640K DOS boundary, hooking interrupt 21.  Available free 
           memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
           will have decreased by 2,688 bytes.  Once resident, it infects 
           .COM and .EXE files, including COMMAND.COM, when they are 
           executed.  Infected files will have a file length increase 
           of 1,361 bytes, though this file length increase will be hidden 
           when the virus is memory resident.  The virus will be located at 
           the end of the host program.  The file's date and time in 
           the DOS disk directory listing will not appear to be altered, 
           though the seconds field will have been set to "46".  The 
           following text strings are encrypted within the viral code: 
           "FULL MOON (C)1995-96 WereWolf" 
           "CLEAN" 
           "AVP" 
           "TB" 
           "SCAN" 
           "NAV" 
           "IBM" 
           "FINDV" 
           "GUARD" 
           "FV" 
           "CHKDSK" 
           Origin:  Unknown  May, 1996 
       WereWolf.1367: Received in May, 1996, this is a 1,367 byte 
           memory resident size stealthing variant of the WereWolf virus. 
           It becomes memory resident at the top of system memory but below 
           the 640K DOS boundary, hooking interrupt 21.  Available free 
           memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
           will have decreased by 2,704 bytes.  Once resident, it infects 
           .COM and .EXE files, including COMMAND.COM, when they are 
           executed.  Infected files will have a file length increase 
           of 1,367 bytes, though this file length increase will be hidden 
           when the virus is memory resident.  The virus will be located at 
           the end of the host program.  The file's date and time in 
           the DOS disk directory listing will not appear to be altered, 
           though the seconds field will have been set to "46".  The 
           following text strings are encrypted within the viral code: 
           "FULL MOON (C)1995-96 WereWolf" 
           "TBMEMXXXTBCHKXXXTBDSKXXXTBFILXXXSQRW" 
           "CLEAN" 
           "AVP" 
           "TB" 
           "SCAN" 
           "NAV" 
           "IBM" 
           "FINDV" 
           "GUARD" 
           "FV" 
           "CHKDSK" 
           Origin:  Unknown  May, 1996 
       WereWolf.1500: Received in May, 1996, this is a 1,500 byte 
           memory resident size stealthing variant of the WereWolf virus. 
           It becomes memory resident at the top of system memory but below 
           the 640K DOS boundary, hooking interrupt 21.  Available free 
           memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
           will have decreased by 2,976 bytes.  Once resident, it infects 
           .COM and .EXE files, including COMMAND.COM, when they are 
           executed.  Infected files will have a file length increase 
           of 1,500 bytes, though this file length increase will be hidden 
           when the virus is memory resident.  The virus will be located at 
           the end of the host program.  The file's date and time in 
           the DOS disk directory listing will not appear to be altered, 
           though the seconds field will have been set to "06".  The 
           following text strings are encrypted within the viral code: 
           "[WULF] (C)1995-96 WereWolf" 
           "CLEAN" 
           "AVP" 
           "TB" 
           "SCAN" 
           "NAV" 
           "IBM" 
           "FINDV" 
           "GUARD" 
           "FV" 
           "CHKDSK" 
           Origin:  Unknown  May, 1996 
       WereWolf.1500.B: Received in July, 1996, this is a 1,500 byte 
           memory resident size stealthing variant of the WereWolf virus. 
           It becomes memory resident at the top of system memory but below 
           the 640K DOS boundary, hooking interrupts 13 and 21.  Available 
           free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
           will have decreased by 2,976 bytes.  Once resident, it infects 
           .COM and .EXE files, including COMMAND.COM, when they are 
           executed.  Infected files will have a file length increase 
           of 1,500 bytes, though this file length increase will be hidden 
           when the virus is memory resident.  The virus will be located at 
           the end of the host program.  The file's date and time in 
           the DOS disk directory listing will not appear to be altered, 
           though the seconds field will have been set to "06".  The 
           following text strings are encrypted within the viral code: 
           "TBMEMXXXTBCHKXXXTBDSKXXXTBFILXXX" 
           "[WULF] (C)1995-96 WereWolf" 
           "CLEAN" 
           "AVP" 
           "TB" 
           "SCAN" 
           "NAV" 
           "IBM" 
           "FINDV" 
           "GUARD" 
           "FV" 
           "CHKDSK" 
           Origin:  Poland  July, 1996

Show viruses from discovered during that infect .

Main Page