Willistrover III Virus


 Virus Name:  Willistrover III 
 Aliases:    
 V Status:    New 
 Discovered:  August, 1993 
 Symptoms:    .COM & .EXE growth; unexpected system reboots; 
              decrease in total system & available free memory; 
              "Not ready error reading drive" error messages 
 Origin:      Bolivia 
 Eff Length:  965 - 979 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  IBMAV, Sweep, F-Prot, ViruScan, VAlert, PCScan, NAV, 
                    NAVDX, ChAV, AVTK 7.68+, 
                    Sweep/N, NShld, IBMAV/N, Innoc, NAV/N, LProt, 
                    AVTK/N 7.68+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Willistrover III virus was submitted in August, 1993, and is 
       from Bolivia.  It is a memory resident infector of .COM and .EXE 
       programs, including COMMAND.COM. 
 
       When the first Willistrover III infected program is executed, this 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, not moving interrupt 12's 
       return.  Total system and available free memory, as indicated by the 
       DOS CHKDSK program, will have decreased by 1,040 bytes.  Interrupt 
       21 will be hooked by Willistrover III in memory. 
 
       Once the Willistrover III virus is memory resident, it will infect 
       .COM and .EXE programs when they are executed.  Infected .COM files 
       will have a file length increase of 965 bytes.  Infected .EXE files 
       will have a file length increase of 965 to 979 bytes.  In both cases 
       the virus will be located at the end of the file.  The program's date 
       and time in the DOS disk directory listing will not be altered.  No 
       text strings are visible within the viral code in Willistrover III 
       infected programs. 
 
       After all of the .COM and .EXE programs in the current directory have 
       become infected, execution of the next infected program will result 
       in the virus infecting the copy of COMMAND.COM pointed to by the 
       COMSPEC environment parameter.  At this point, a system reboot may 
       occur, or the following message may be displayed requiring an 
       appropriate action by the system user: 
 
               "Not read error reading drive X 
                Insert disk with \COMMAND.COM in drive X 
                and strike any key when ready" 
 
       The X in the above message will be the current drive letter.  After 
       COMMAND.COM is infected, unexpected system reboots may occur any 
       time a program is executed.

Show viruses from discovered during that infect .

Main Page