WMA Virus


 Virus Name:  WMA 
 Aliases:     WMA.709 
 V Status:    New 
 Discovered:  December, 1996 
 Symptoms:    .EXE file growth; decrease in available free memory; 
              file date/time seconds = "60"; system hangs 
 Origin:      Unknown 
 Eff Length:  709 Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  AVTK, PCScan, ViruScan, NAV, NAVDX, 
                    AVTK/N, NShld, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The WMA or WMA.709 virus was received in December, 1996.  Its origin 
       or point of isolation is unknown.  WMA is a memory resident infector 
       of .EXE files.  It is a semi-stealth infector, hiding the file length 
       increase on infected files when it is memory resident. 
 
       When the first WMA infected program is executed, this virus will 
       become memory resident at the top of system memory but below the 
       640K DOS boundary, not moving interrupt 12's return.  Available free 
       memory, as indicated by the DOS CHKDSK program from DOS 5.0, will 
       have decreased by 720 bytes.  Interrupt 21 will be hooked by the 
       virus in memory. 
 
       Once this virus is memory resident, it will infect .EXE files when 
       they are executed.  Infected files will have a file length increase 
       of 709 bytes, though this file length increase will be hidden by the 
       virus when it is memory resident.  The viral code will be located at 
       the end of the file.  The program's date and time in the DOS disk 
       directory listing will not appear to be altered, though the seconds 
       field will have been set to "60".  The following text strings are 
       visible within the viral code: 
 
           "s" 
           "wm" 
 
       System hangs may occur on infected systems. 
 
       Known variant(s) of WMA are: 
       WMA.995: Also received in December, 1996, this is a 995 byte 
           variant of the WMA virus described above.  Its size in memory 
           is 2,576 bytes hooking interrupt 21 as a low system memory TSR. 
           Once resident, it infects .COM and .EXE files, including 
           COMMAND.COM, when they are executed.  Infected files will have a 
           file length increase of 995 bytes, though this file length 
           increase will be hidden when the virus is memory resident.  The 
           viral code will be located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not appear 
           to be altered, though the seconds field will have been set to 
           "60".  The following text string is encrypted within the viral 
           code: 
             "Androide 1B by WM [DAN]" 
           The DOS CHKDSK program will indicate file allocation errors on 
           all infected programs when the virus is memory resident.  System 
           hangs and unexpected system reboots may occur on infected 
           systems. 
           Origin:  Unknown  December, 1996. 

Show viruses from discovered during that infect .

Main Page