Clonewar Virus
Virus Name: Clonewar
Aliases: Clonewar.247
V Status: Rare
Discovery: October, 1992
Symptoms: Hidden .COM files created; EXEC failure when executing .EXE
programs
Origin: United States
Eff Length: 247 Bytes
Type Code: SNE - Spawning Non-Resident .EXE Infector
Detection Method: ViruScan, Sweep, F-Prot, AVTK, IBMAV, NAV, NAVDX,
ChAV, PCScan,
NShld, Sweep/N, Innoc, NProt, AVTK/N, IBMAV/N, NAV/N
Removal Instructions: Delete infected files
General Comments:
The Clonewar virus was received in October, 1992. It appears to be
from the United States. Clonewar is a non-resident spawning or
companion virus.
When a program infected with the Clonewar virus is executed, the
Clonewar virus may infect one .EXE program located in the current
directory by creating a hidden, read-only .COM file with the same
base file name. The hidden, companion file will have a file length
of 247 bytes and its file date and time will be the system date
and time when it was created. The following text string can
be found in all of the companion files:
"*.EXE COM"
The files will also contain the name of the companion file, and the
program's name with a .EXE extention.
Systems infected with Clonewar may receive the message "EXEC failure"
when attempting to execute .EXE programs, and are then returned to
the DOS prompt.
Clonewar doesn't do anything besides replicate, but it does interfer
with system operation.
Known variant(s) of Clonewar are:
Acme: Received in November, 1992, Acme is a 923 byte variant of
the Clonewar virus described above. The companion files it
creates have a length of 923 bytes with the read-only and
hidden attributes set. The same text string found in the
original virus occurs in this variant. Acme will not always
replicate when an infected program is executed, but will
sometimes play a repeated a series of tones on the system
speaker while leaving the current drive spinning.
Origin: Unknown November, 1992.
Clonewar.194: Received in January, 1996, this is a 194 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 194 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"*.EXE COM"
This variant does not infect past the second .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.200: Received in January, 1996, this is a 200 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 200 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"*.EXE COM"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.207: Received in January, 1996, this is a 207 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 207 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"*.EXE COM"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.220: Received in January, 1996, this is a 220 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 220 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"*.EXE COM"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.228: Received in September, 1993, Clonewar.228 is a 228
byte variant of the Clonewar virus described above. It infects
one .EXE file in the current directory when an infected program
is executed by creating a hidden 228 byte companion .COM file
with the same base file name. This companion file will have
the read-only and hidden attributes set, and the system date
and time when infection occurred. The following text string
is visible within the viral code:
"*.EXE COM"
Clonewar 2 does not infect past the third .EXE file in any
directory.
[Previous Name For Variant: Clonewar 2]
Origin: Unknown September, 1993.
Clonewar.229: Received in January, 1996, this is a 229 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 229 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"*.EXE COM"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.235: Received in January, 1996, this is a 235 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 235 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"*.EXE COM"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.242: Received in January, 1996, this is a 242 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 242 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"*.EXE COM"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.246: Received in January, 1996, this is a 246 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 246 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"*.EXE COM"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.252.A: Received in January, 1996, this is a 252 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 252 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"COM *.EXE Annihilator (SPAWN) is still alive!"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.252.B: Received in January, 1996, this is a 252 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 252 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"*.EXE COM"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.255: Received in January, 1996, this is a 255 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 255 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text strings are visible
within the viral code:
"COM"
"*.EXE"
"Annihilator (SPAWN v1.01) is still alive!"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.258: Received in January, 1996, this is a 258 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 258 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text strings are visible
within the viral code:
"COM"
"*.EXE"
"Annihilator (SPAWN v1.00) is still alive!"
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.260: Received in January, 1996, this is a 260 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 260 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text string is visible
within the viral code:
"CloneWar V1.0 *.EXE COM"
This variant does not infect past the third .EXE file located
in the current directory.
Origin: Unknown January, 1996.
Clonewar.267: Received in January, 1996, this is a 267 byte
variant of the Clonewar virus described above. It infects one
.EXE file located in the current directory when an infected
program is executed by creating a 267 byte read-only hidden
companion .COM file. This companion file's date and time in
the DOS disk directory will be the system date and time when
infection occurred. The following text strings are visible
within the viral code:
"COM"
"*.EXE"
"Annihilator (SPAWN v1.01) is still alive!"
"...D-1994..."
This variant does not infect past the first .EXE file located
in the current directory.
Origin: Unknown January, 1996.
TrekWar: Received in Septembe, 1993, TrekWar is based on the
Clonewar.228 variant. Its hidden companion files are 546
bytes in size, and contain the following unencrypted text:
"Beyond"
"The rim of the star-light"
"My love"
"Is wand'ring in star-flight"
"I know"
"He'll find in star-clustered reaches"
"Love"
"Strange love a star woman teaches."
"I know"
"His journey ends never"
"His star trek"
"Will go on forever."
"But tell him"
"While he wanders his starry sea"
"Remember, remember me."
"[TrekWar] *.EXE COM"
The above strings, other than the last string, are the words to
the theme song from the original Star Trek television series.
Origin: Unknown September, 1993.