Wolfman Virus


 Virus Name:  Wolfman 
 Aliases:     Wolf 
 V Status:    Rare 
 Discovered:  July, 1990 
 Symptoms:    TSR; .COM & .EXE growth; file date/time changes 
 Origin:      Taiwan 
 Eff Length:  2,064 Bytes 
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Wolfman virus was discovered in Taiwan in July, 1990.  It is a 
       memory resident generic infector of .COM and .EXE files, but not 
       COMMAND.COM. 
 
       The first time a program infected with the Wolfman virus is 
       executed, the virus will install itself memory resident as a TSR 
       with 2 blocks of memory reserved.  The first block of memory 
       reserved is 68,032 bytes in length, the second block of reserved 
       memory is 4,544 bytes in length.  The total 72,640 bytes of memory 
       is in low system memory, and available free memory is decreased by 
       a corresponding amount. The virus hooks interrupts 09, 10, 16, 21, 
       2F, ED, and F5. 
 
       Once the virus is memory resident, the virus will infect any .COM 
       or .EXE file which is executed if the pre-infection file length is 
       greater than or equal to 2,064 bytes.  Infected files increase in 
       length by 2,064 bytes.  .COM files which are infected will have the 
       virus's code located at the beginning of the .COM file, .EXE files 
       will have the virus located at the end.  Infected files will have 
       their date and time in the disk directory altered to the system 
       date and time when infection occurred. 
 
       It is unknown when Wolfman activates, or if it is destructive. 
 
       Known variant(s) of Wolfman are: 
       Wolfman 2: This variant is fairly similar to the Wolfman virus. 
           Its memory resident TSR is 67,984 bytes, and it hooks interrupts 
           09, 10, 16, 21, CF, D1, D3, and several others.  Files 
           smaller than 5,120 bytes will not be infected by the virus. 
           Infected .EXE files will contain the text string "WOlf_mAN", 
           though this string cannot be found in infected .COM programs as 
           it will be encrypted. 
       Wolfman.C: Received in January, 1996, this is another minor 
           variant of the Wolfman virus.  Its in memory TSR is 67,952 
           bytes, hooking interrupts 09, 10, 16, 21, and FB.  Once resident, 
           it infects .COM and .EXE files, but not COMMAND.COM, when they 
           are executed.  Infected files will increase in size by 2,064 
           bytes.  In the case of .COM files, the virus will be located at 
           the beginning of the file, whereas in .EXE files it is at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will have been updated to the current system 
           date and time when infection occurred.  The following text 
           string is visible within the viral code: 
           "WOlf_mAN" 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page