CPW Virus


 Virus Name:  CPW 
 Aliases:     CPW.1459 
 V Status:    Rare 
 Discovery:   December, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory; Scan.Exe deleted; message; keyboard interference 
 Origin:      Chile 
 Eff Length:  1,459 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, NProt, AVTK/N, NAV/N, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The CPW virus was submitted in December, 1992.  It is originally 
       from Chile.  CPW is a memory resident infector of .COM and .EXE 
       programs, including COMMAND.COM. 
 
       When the first CPW infected program is executed, the CPW virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, hooking interrupts 16 and 21. 
       Total system and available free memory, as indicated by the DOS 
       CHKDSK program, will have decreased by 2,000 bytes.  Interupt 
       12's return will not be moved.  Also at this time, the copy of 
       COMMAND.COM located in the C: drive root directory will be infected 
       by the virus if it was not previously infected. 
 
       Once the CPW virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed or opened.  Infected programs 
       will have a file length increase of 1,459 bytes with the virus 
       being located at the end of the file.  The program's date and time 
       in the DOS disk directory listing will not be altered.  The following 
       text strings are visible within the viral code in all CPW infected 
       programs: 
 
               "Este programa fue hecho en Chile en 1992 por CPW." 
               "C:\COMMAND.COM" 
               "Feliz cumplea¤os CPW" 
               "You are here CPW!" 
               "ULS" 
 
       After the CPW virus has been memory resident for awhile, it will 
       activate.  Upon activation, it will display the following message 
       at the DOS prompt, one character at a time.  The characters of the 
       message replace the characters the user is typing on the system 
       keyboard: 
 
               "You are here CPW!" 
 
       The character substitution continues until the user hits an ALT+key 
       combination on the system keyboard, such as ALT+C.  Another effect 
       of the virus is that attempts to execute a program named Scan.Exe 
       with the virus memory resident will result in the Scan.Exe program 
       being deleted from the disk.  Systems hangs may also occur on 
       infected systems when programs are executed. 
 
       Known variant(s) of CPW are: 
       CPW.1457: Received in January, 1996, this is a 1,457 byte variant 
           of the CPW virus described above.  Its size in memory is also 
           2,000 bytes, hooking interrupts 16 and 21.  Once resident, it 
           infects .COM and .EXE files, including COMMAND.COM, when they are 
           executed.  Infected files will have a file length increase of 
           1,457 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not be altered.  The following text strings are visible 
           within the viral code: 
           "Esta programa fue hecho en Chile en 1992 por CPW." 
           "C:\COMMAND.COM" 
           "­Feliz cumplea¤os CPW!" 
           "You are here CPW!" 
           This variant also deletes SCAN.EXE when it is executed with the 
           virus memory resident. 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page