Witch Virus

Virus Name: Witch Aliases: V Status: Rare Discovered: December, 1992 Symptoms: .EXE file growth; unexpected access to system hard disk; message accompanied by system hang Origin: Unknown Eff Length: 1,140 Bytes Type Code: PNE - Parasitic Non-Resident .EXE Infector Detection Method: AVTK, F-Prot, ViruScan, Sweep, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, Innoc, NProt, AVTK/N, IBMAV/N, NAV/N Removal Instructions: Delete infected files General Comments: The Witch virus was submitted in December, 1992. Its origin or point of isolation is unknown. Witch is a non-resident, direct action infector of .EXE programs. When a program infected with the Witch virus is executed, the Witch virus will infect one .EXE program with a length of at least 5,000 bytes located in the current directory, and will also access the system hard disk C: drive. Infected programs will have a file length increase of 1,140 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Witch viral code in all infected programs: "IT'S WITCHING HOUR... YOUR COMPUTER IS BEING HAUNTED! HAHAHA..." "Bad luck... You've got a virus in your system !" "*.eXe \dOs ChKdSk.eXe XcOPy.eXe MeM.ExE cHkLiS*.*" "Think about using a virus-scanner which is more up-to-date !" "Here lies a program in its coffin, executed by a user one time too often..." The Witch activates between midnight (00:01) and 1AM (01:00), at which time the following message will be displayed and a system hang may occur: "IT'S WITCHING HOUR... YOUR COMPUTER IS BEING HAUNTED! HAHAHA..." The Witch virus may also interfer with the functioning of the DOS 5.0 programs CHKDSK, XCOPY, and MEM, and with the Central Point Anti- Virus program.