Virus Name: WMA
V Status: New
Discovered: December, 1996
Symptoms: .EXE file growth; decrease in available free memory;
file date/time seconds = "60"; system hangs
Eff Length: 709 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: AVTK, PCScan, ViruScan, NAV, NAVDX,
AVTK/N, NShld, NAV/N
Removal Instructions: Delete infected files
The WMA or WMA.709 virus was received in December, 1996. Its origin
or point of isolation is unknown. WMA is a memory resident infector
of .EXE files. It is a semi-stealth infector, hiding the file length
increase on infected files when it is memory resident.
When the first WMA infected program is executed, this virus will
become memory resident at the top of system memory but below the
640K DOS boundary, not moving interrupt 12's return. Available free
memory, as indicated by the DOS CHKDSK program from DOS 5.0, will
have decreased by 720 bytes. Interrupt 21 will be hooked by the
virus in memory.
Once this virus is memory resident, it will infect .EXE files when
they are executed. Infected files will have a file length increase
of 709 bytes, though this file length increase will be hidden by the
virus when it is memory resident. The viral code will be located at
the end of the file. The program's date and time in the DOS disk
directory listing will not appear to be altered, though the seconds
field will have been set to "60". The following text strings are
visible within the viral code:
System hangs may occur on infected systems.
Known variant(s) of WMA are:
WMA.995: Also received in December, 1996, this is a 995 byte
variant of the WMA virus described above. Its size in memory
is 2,576 bytes hooking interrupt 21 as a low system memory TSR.
Once resident, it infects .COM and .EXE files, including
COMMAND.COM, when they are executed. Infected files will have a
file length increase of 995 bytes, though this file length
increase will be hidden when the virus is memory resident. The
viral code will be located at the end of the file. The program's
date and time in the DOS disk directory listing will not appear
to be altered, though the seconds field will have been set to
"60". The following text string is encrypted within the viral
"Androide 1B by WM’ [DAN]"
The DOS CHKDSK program will indicate file allocation errors on
all infected programs when the virus is memory resident. System
hangs and unexpected system reboots may occur on infected
Origin: Unknown December, 1996.