Virus Name: WinVir
V Status: Rare
Discovered: September, 1992
Symptoms: Windows .EXE file growth; Windows .EXE files altered;
Windows programs intermittenly fail to execute
Eff Length: 854 Bytes
Type Code: PNE - Parasitic Non-Resident .EXE Infector
Detection Method: Sweep, AVTK, F-Prot, IBMAV, PCScan,
ViruScan, VAlert, NAV, NAVDX, ChAV,
Sweep/N, Innoc, AVTK/N, IBMAV/N, NShld, LProt, NAV/N
Removal Instructions: Replace infected files
The WinVir or WVir virus was received from Sweden in September,
1992. This virus is a non-resident direct action virus which will
only replicate in a Windows environnment. It infects .EXE programs
which are in Microsoft's New Executable (Windows executable)
format. It does not infect .EXE programs which are not Windows
When a program infected with WinVir is executed under Windows, this
virus will search the current directory to locate Windows
executable .EXE programs. These programs will then be infected,
with the virus relocating a portion of the host program to the
end of the file, and then infecting the middle of the host
program. The infected program will increase in size by 854 bytes,
the file's date and time in the DOS disk directory listing will
not be altered. WinVir will then remove itself from the program
the user was attempting to execute, though the program is not
always returned to its original condition before it was infected.
The program then terminates, and the program the user was attempting
to execute does not run. If the user again attempts to execute
the program, it will function properly.
Two text strings can be found in all programs infected by WinVir:
Either of these two text strings may also be found in programs
which WinVir has previously disinfected.
This virus is rather buggy, and in testing was found to only
function properly when it was copied into the Windows directory.
When executed from any other directory, unexpected results
would occur, including some rather bizarre error messages.