Witcode Virus


 Virus Name:  Witcode 
 Aliases:    
 V Status:    Rare 
 Discovered:  December, 1992 
 Symptoms:    .EXE file growth; decrease in total system & available free 
              memory; messages; hard disk becomes unbootable 
 Origin:      Germany 
 Isolated:    The Netherlands 
 Eff Length:  966 - 980 Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  AVTK, F-Prot, IBMAV, Sweep, PCScan, ChAV, 
                    ViruScan, NAV, NAVDX, VAlert, 
                    Sweep/N, NShld, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Witcode virus was submitted from the Netherlands in December, 
       1992.  It is originally from Germany, and has been rumored to 
       exist for over one year.  Witcode is a memory resident infector of 
       .EXE programs. 
 
       The first time a program infected with the Witcode virus is executed, 
       the Witcode virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 1,520 bytes.  Interrupt 21 will be hooked by the 
       Witcode virus. 
 
       Once the Witcode virus is memory resident, it will infect .EXE 
       programs when they are executed.  Infected programs will have a file 
       length increase of 966 to 980 bytes with the virus being located at 
       the end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text string 
       is visible within the viral code in all Witcode infected programs: 
 
               "Witcode" 
 
       The Witcode virus activates based on several different criteria.  If 
       the current system date and time match more than one criteria, any or 
       all of the effects for those activations may be noted. 
 
       On any day of the week from 22:00 to 06:00, the virus will display 
       the following message on approximately 1 out of every 16 program 
       executions: 
 
               "Gee, I wanna sleep now!" 
 
       On any Sunday, the virus will display the following message on 
       approximately 1 out of every 32 program executions: 
 
               "You really shouldn't work on Sundays..." 
 
       On any Monday, as well as on any Friday The 13th, the virus may 
       overwrite the first two bytes of the C: drive boot sector, rendering 
       the system hard disk unbootable.  The trojan has a 1 in 64 chance of 
       triggering when any program is executed. 
 
       From December 24th through December 31st of any year, the virus 
       will display the following message when any program is executed: 
      
               "Merry Christmas" 
 
       Lastly, the virus will very infrequently display the following 
       message when a program is executed: 
 
               "You got a fine machine!" 
 
       All of the above messages are encrypted within the viral code, and 
       are not visible within infected programs. 
 
       See:   Stasi

Show viruses from discovered during that infect .

Main Page