Wizard 3.0 Virus


 Virus Name:  Wizard 3.0 
 Aliases:    
 V Status:    Rare 
 Discovered:  December, 1992 
 Symptoms:    .COM file growth; message & beeping 
 Origin:      Poland 
 Eff Length:  268 Bytes 
 Type Code:   PRCK - Parasitic Resident .COM Infector 
 Detection Method:  AVTK, F-Prot, Sweep, ViruScan, IBMAV, PCScan, ChAV, 
                    NAV, NAVDX, VAlert, 
                    Sweep/N, NShld, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Wizard 3.0 virus was submitted in December, 1992.  It is 
       originally from Poland.  Wizard 3.0 is a memory resident infector 
       of .COM programs, including COMMAND.COM. 
 
       When the first Wizard 3.0 infected program is executed, the Wizard 
       3.0 virus will install itself memory resident in a "hole" in low 
       system memory, hooking interrupt 21.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will not be 
       changed. 
 
       Once the Wizard 3.0 virus is memory resident, it will infect .COM 
       programs, including COMMAND.COM, when they are executed.  Infected 
       programs will have a file length increase of 268 bytes with the 
       virus being located at the end of the file.  The program's date and 
       time in the DOS disk directory listing will not be altered.  The 
       following text is visible within the viral code in all Wizard 3.0 
       infected programs: 
 
               "I'm WIZARd 3.0" 
 
       The Wizard virus will occassionally display the above message on 
       the system monitor when a program is executed.  When the message 
       is displayed, it is slowly typed character by character with 
       accompanying beeps on the system speaker. 
 
       Known variant(s) of Wizard 3.0 are: 
       Wizard.312: Received in January, 1995, Wizard.312 is a 312 byte 
              variant of the Wizard virus described above.  It adds 312 
              bytes to the .COM files it infects.  The file's date in the DOS 
              disk directory listing will not be altered, but the time will 
              have been set to "10:00:00 AM".  The following text strings 
              can be found within the viral code in all infected programs: 
              "Microbi is here!" 
              "4991 uheyzrk" 
              The first text string may be displayed as a message on the 
              system monitor when an infected program is executed. 
              Origin:  Unknown  January, 1995.

Show viruses from discovered during that infect .

Main Page