WinVir Virus


 Virus Name:  WinVir 
 Aliases:     WVir 
 V Status:    Rare 
 Discovered:  September, 1992 
 Symptoms:    Windows .EXE file growth; Windows .EXE files altered; 
              Windows programs intermittenly fail to execute 
 Origin:      Sweden 
 Eff Length:  854 Bytes 
 Type Code:   PNE - Parasitic Non-Resident .EXE Infector 
 Detection Method:  Sweep, AVTK, F-Prot, IBMAV, PCScan, 
                    ViruScan, VAlert, NAV, NAVDX, ChAV, 
                    Sweep/N, Innoc, AVTK/N, IBMAV/N, NShld, LProt, NAV/N 
 Removal Instructions:  Replace infected files 
 
 General Comments: 
       The WinVir or WVir virus was received from Sweden in September, 
       1992.  This virus is a non-resident direct action virus which will 
       only replicate in a Windows environnment.  It infects .EXE programs 
       which are in Microsoft's New Executable (Windows executable) 
       format.  It does not infect .EXE programs which are not Windows 
       specific programs. 
 
       When a program infected with WinVir is executed under Windows, this 
       virus will search the current directory to locate Windows 
       executable .EXE programs.  These programs will then be infected, 
       with the virus relocating a portion of the host program to the 
       end of the file, and then infecting the middle of the host 
       program.  The infected program will increase in size by 854 bytes, 
       the file's date and time in the DOS disk directory listing will 
       not be altered.  WinVir will then remove itself from the program 
       the user was attempting to execute, though the program is not 
       always returned to its original condition before it was infected. 
       The program then terminates, and the program the user was attempting 
       to execute does not run.  If the user again attempts to execute 
       the program, it will function properly. 
 
       Two text strings can be found in all programs infected by WinVir: 
 
               "Virus_for_Windows  v1.4" 
               "MK92" 
 
       Either of these two text strings may also be found in programs 
       which WinVir has previously disinfected. 
 
       This virus is rather buggy, and in testing was found to only 
       function properly when it was copied into the Windows directory. 
       When executed from any other directory, unexpected results 
       would occur, including some rather bizarre error messages.

Show viruses from discovered during that infect .

Main Page