BW Virus


 Virus Name:  BW 
 Aliases:     BW.311 
 V Status:    New 
 Discovery:   January, 1996 
 Symptoms:    .COM file growth 
 Origin:      Unknown 
 Eff Length:  311 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, 
                    NAV, NAVDX, PCScan, ChAV, 
                    NProt, AVTK/N, IBMAV/N, NShld, NAV/N, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The BW or BW.311 virus was received in January, 1996, along with 
       several other viruses and/or variants which appear to have been 
       written by the same author or created with the same virus creation 
       utility.  The BW.311 virus is a non-resident, direct action infector 
       of .COM files, including COMMAND.COM.  Other viruses and/or variants 
       may be resident or non-resident, may infect .COM and/or .EXE files, 
       and may have some stealth type characteristics. 
 
       When a program infected with the BW.311 virus is executed, this 
       virus will infect up to seven .COM files located in the current 
       directory.  Infected .COM files will have a file length increase of 
       311 bytes with the virus being located at the end of the file.  The 
       program's date and time in the DOS disk directory listing will not 
       be altered.  The following text strings are visible within the viral 
       code: 
 
           "[BW] MONSTOR" 
           "*.COM" 
 
       Known virus(es) or variant(s) of BW are: 
       BW.410: Received in September, 1996, BW.410 is a non-resident 
           direct action infector of .COM files, but not COMMAND.COM.  It 
           infects all of the .COM files other than COMMAND.COM in the 
           current directory when an infected program is executed.  Infected 
           programs will have a file length increase of 410 bytes with the 
           virus being located at the end of the file.  The program's date 
           and time in the DOS disk directory listing will not be altered. 
           The following text strings are encrypted within the viral code: 
           "[BW] Hepatitis C Virus" 
           "*.COM" 
           Origin:  Unknown  September, 1996. 
       BW.631: Received in January, 1996, BW.631 is a memory resident 
           fast infector of .EXE files.  It becomes memory resident at the 
           top of system memory but below the 640K DOS boundary, moving 
           interrupt 12's return.  Total system and available free memory, 
           as indicated by the DOS CHKDSK program from DOS 5.0, will have 
           decreased by 2,048 bytes.  Interrupts 21 and 24 will be hooked 
           by the virus in memory.  Once this virus is memory resident, 
           it will infect .EXE files when they are executed, or opened, but 
           not when copied.  Infected files will have a file length increase 
           of 653 bytes, though this file length increase will be hidden 
           when the virus is memory resident.  The virus will be located at 
           the end of the file.  The program's date and time in the DOS 
           disk directory listing will not appear to be altered, though the 
           seconds field will have been set to "24".  The following text 
           strings are encrypted within the viral code: 
           "A [BW]" 
           "Dantes Inferno Strain B Virus" 
           The DOS CHKDSK program will indicate file allocation errors on 
           all infected files, as well as any non-infected files with the 
           seconds field set to "24", when the virus is memory resident. 
           Origin:  Unknown  January, 1996. 
       BW.706: Received in January, 1996, BW.706 is a memory resident 
           fast infector of .EXE files.  It becomes memory resident at the 
           top of system memory but below the 640K DOS boundary, not moving 
           interrupt 12's return.  Available free memory, as indicated by 
           the DOS CHKDSK program from DOS 5.0, will have decreased by 2,048 
           bytes.  Interrupts 21 and 24 will be hooked by the virus in 
           memory.  Once this virus is memory resident, it will infect .EXE 
           files when they are executed, or opened, but not when copied. 
           Infected files will have a file length increase of 706 bytes, 
           though this file length increase will be hidden when the virus is 
           memory resident.  The virus will be located at the end of the 
           file.  The program's date and time in the DOS disk directory 
           listing will not appear to be altered, though the seconds field 
           will have been set to "22".  The following text strings are 
           encrypted within the viral code: 
           "[BW]" 
           "Cyclosporine Induced Nephropathy" 
           The DOS CHKDSK program will indicate file allocation errors on 
           all infected files, as well as any non-infected files with the 
           seconds field set to "22", when the virus is memory resident. 
           Origin:  Unknown  January, 1996. 
       BW.754: Received in December, 1996, BW.754 is a non-resident 
           direct action infector of .COM and .EXE files, but not 
           COMMAND.COM.  It infects up to four .COM or .EXE files in the 
           current directory when an infected program is executed.  Infected 
           programs will have a file length increase of 754 bytes with the 
           virus being located at the end of the file.  The program's date 
           and time in the DOS disk directory listing will not be altered. 
           The following text strings are encrypted within the viral code: 
           "[BW] The Abnormal Coyote 1 Virus" 
           "*.*" 
           Origin:  Unknown  December, 1996. 
       BW.790: Received in December, 1996, BW.790 is a non-resident 
           direct action infector of .COM and .EXE file.  It infects all of 
           the .COM and .EXE files in the current directory when an infected 
           program is executed.  Infected programs will have a file length 
           increase of 790 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will not be altered.  The following text strings are 
           encrypted within the viral code: 
           "[BW] And yet another assisted suicide......." 
           "*.*" 
           Origin:  Unknown  December, 1996. 
       BW.1393: Received in December, 1996, BW.1393 is a non-resident 
           direct action infector of .COM and .EXE files, but not 
           COMMAND.COM.  It infects up to three .COM or .EXE files in the 
           current directory when an infected program is executed.  Infected 
           programs will have a file length increase of 1,393 to 1,425 bytes 
           with the virus being located at the end of the file.  The 
           program's date and time in the DOS disk directory listing will 
           not be altered.  The following text strings are encrypted within 
           the viral code: 
           "[BW] OJ Virus" 
           "[BWME]" 
           Origin:  Unknown  December, 1996. 
       BW.1396: Received in December, 1996, BW.1396 is a non-resident 
           direct action infector of .COM and .EXE files, but not 
           COMMAND.COM.  It infects up to two .COM or .EXE files in the 
           current directory when an infected program is executed.  Infected 
           programs will have a file length increase of 1,396 to 1,428 bytes 
           with the virus being located at the end of the file.  The 
           program's date and time in the DOS disk directory listing will 
           not be altered.  The following text strings are encrypted within 
           the viral code: 
           "[BW] The Jelly Belly Virus" 
           "[BWME]" 
           "*.*" 
           Origin:  Unknown  December, 1996.

Show viruses from discovered during that infect .

Main Page