JW2 Virus


 Virus Name:  JW2 
 Aliases:     812, Jabberwocky 
 V Status:    Rare 
 Discovered:  September, 1991 
 Symptoms:    .COM & .EXE growth; TSR 
 Origin:      Unknown 
 Eff Length:  812 Bytes 
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, NAV, F-Prot, Sweep, ChAV, 
                    IBMAV, NAVDX, VAlert, PCScan, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The JW2, or 812, virus was submitted in September, 1991.  Its 
       origin, or point of isolation, is unknown.  JW2 is a memory 
       resident infector of .COM and .EXE files, including COMMAND.COM. 
 
       The first time a program infected with JW2 is executed, JW2 will 
       become memory resident as a low system memory TSR of 1,136 bytes. 
       Interrupt 21 will be hooked by JW2 in memory. 
 
       Once JW2 is memory resident, it will infect .COM and .EXE programs, 
       including COMMAND.COM, when they are executed.  Infected programs 
       increase in size by 812 bytes with the virus being located at the 
       end of the infected file.  There will be no change in the file's 
       date and time in the DOS disk directory. 
 
       Programs infected with JW2 will contain the text string "JW2" in 
       the fourth through sixth characters of the infected file, this 
       string is the infection marker. 
 
       It is unknown if JW2 does anything besides replicate. 
 
       Known variant(s) of JW2 are: 
       Jabberwocky: A variant of JW2, it has six bytes which differ 
                    from the original virus.  This variant will 
                    occasionally display the following message when a 
                    program is executed:  "BEWARE THE JABBERWOCK!".  The 
                    message cannot be seen in infected files as it is 
                    encrypted. 
       Jabberwocky.615: Received in July, 1994, Jabberwocky.615 is a 615 
                    byte variant of the virus described above.  Its low 
                    system memory TSR is 944 bytes, hooking interrupt 21. 
                    It infects .COM programs, including COMMAND.COM, when 
                    they are executed.  Infected programs will have a file 
                    length increase of 615 bytes with the virus being 
                    located at the end of the file.  The program's date and 
                    time in the DOS disk directory listing will not be 
                    altered.  The following text string is visible within 
                    all infected programs starting at the 4th byte of the 
                    file: 
                    "JW1" 
                    Origin:  Unknown  July, 1994. 
       Jabberwocky-B: Functionally similar to Jabberwocky, Jabberwocky-B 
                    is another minor variant with 7 bytes which differ. 
                    Origin:  Unknown  September, 1992.

Show viruses from discovered during that infect .

Main Page