Windmill Virus


 Virus Name:  Windmill 
 Aliases:     Windmill Dropper 
 V Status:    Rare 
 Discovered:  October, 1991 
 Symptoms:    BSC; decrease in total system and available memory; 
              "windmill" on screen when accessing write protected diskettes 
 Origin:      Philipines 
 Eff Length:  N/A Bytes 
 Type Code:   BRtF - Resident Diskette Boot Sector Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, IBMAV, Sweep, NAV, 
                    NAVDX, VAlert, ChAV, 
                    NShld, NAV/N 
 Removal Instructions:  DOS SYS on System Diskettes 
 
 General Comments: 
       The Windmill virus was discovered in the Philipines in October, 1991. 
       Windmill is a memory resident infector of diskette boot sectors, and 
       is a stealth virus.  It does not infect hard disks in its present 
       form. 
 
       When a system is booted with a diskette infected with the Windmill 
       virus, Windmill will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 1,024 bytes.  Interrupt 12's return will have been 
       moved, and interrupt 1C will be hooked. 
 
       Once Windmill is memory resident, it will infect non-write protected 
       diskettes when they are accessed.  Upon accessing the diskette, the 
       original diskette boot sector will be moved to another location on 
       the diskette, and then the virus will overwrite the diskette's 
       boot sector with its viral code. 
 
       If the user attempts to access a write-protected diskette, such as 
       to execute a program from it, a spinning slash character ("/") may 
       appear in the center of the screen while the virus attempts to 
       infect the disk.  A flickering box may also appear slightly to the 
       left of center.  Eventually the virus will give up trying to infect 
       the write protected diskette, and the user will be able to execute 
       the program or access the file on the write-protected diskette. 
 
       Windmill is a stealth virus.  If Windmill is memory resident and the 
       user attempts to view or access the boot sector, the Windmill virus 
       will present the original boot sector instead of the real boot 
       sector.  Thus, anti-viral utilities unaware of Windmill in memory 
       will not be able to detect any change in the boot sector. 
 
       When Windmill is not memory resident, the following text strings 
       can be found within the boot sector of infected diskettes: 
 
               "WINDMILL Strain 2" 
               "Windmills in your mind.." 
               "LLCPHPU" 
 
       Known variant(s) of Windmill are: 
       Windmill Dropper: A small .COM file which contains the Windmill 
                         virus.  Execution of this file will result in the 
                         diskette's boot sector being overwritten by the 
                         Windmill virus.

Show viruses from discovered during that infect .

Main Page