Willow Virus


 Virus Name:  Willow 
 Aliases:    
 V Status:    New 
 Discovered:  April, 1993 
 Symptoms:    .EXE file growth; .COM files deleted; TSR 
 Origin:      Unknown 
 Eff Length:  1,870 - 1,884 Bytes 
 Type Code:   PRsE - Parasitic Resident .EXE Infector 
 Detection Method:  AVTK, ViruScan, F-Prot, Sweep, IBMAV, PCScan, 
                    NAV, NAVDX, VAlert, ChAV, 
                    NShld, AVTK/N, Sweep/N, NAV/N, NProt, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Willow virus was submitted in April, 1993.  Its origin or point 
       of isolation is unknown.  Willow is a memory resident infector of 
       .EXE programs. 
 
       When the first Willow infected program is executed, the Willow 
       virus will install itself memory resident as a low system memory 
       TSR of approximately 2.1K in size.  Interrupt 21 will be hooked by 
       the Willow virus. 
 
       Once the Willow virus is memory resident, it will infect .EXE 
       programs when they are executed.  Infected .EXE programs will have 
       a file length increase of 1,870 to 1,884 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not be altered.  The following text 
       string is visible within the viral code in all Willow infected 
       programs: 
 
               "COMMAND.COM COMSPEC=" 
 
       The Willow virus is disruptive, deleting .COM programs when the user 
       attempts to execute them with the virus memory resident.  It doesn't 
       delete the copy of COMMAND.COM pointed to by the COMSPEC 
       environmental variable. 
 
       Known variant(s) of Willow are: 
       Willow 2: A 2,013 byte variant of the Willow virus, this 
                 variant's memory resident TSR is 2,304 bytes, hooking 
                 interrupts 13,20, 21, and 22.  It infects .EXE programs 
                 when they are executed.  Infected programs will have a 
                 file length increase of 2,013 to 2,027 bytes with the 
                 virus being located at the end of the file.  The program's 
                 date and time in the DOS disk directory listing will not 
                 be altered.  The following text string is visible within 
                 the viral code in all Willow 2 infected programs: 
                 "WILLOW come in." 
                 Willow 2 does not kill .COM programs as like the original 
                 virus. 
                 Origin:  Unknown  June, 1993.

Show viruses from discovered during that infect .

Main Page