Virus Name: Wolfman
V Status: Rare
Discovered: July, 1990
Symptoms: TSR; .COM & .EXE growth; file date/time changes
Eff Length: 2,064 Bytes
Type Code: PRsA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Wolfman virus was discovered in Taiwan in July, 1990. It is a
memory resident generic infector of .COM and .EXE files, but not
The first time a program infected with the Wolfman virus is
executed, the virus will install itself memory resident as a TSR
with 2 blocks of memory reserved. The first block of memory
reserved is 68,032 bytes in length, the second block of reserved
memory is 4,544 bytes in length. The total 72,640 bytes of memory
is in low system memory, and available free memory is decreased by
a corresponding amount. The virus hooks interrupts 09, 10, 16, 21,
2F, ED, and F5.
Once the virus is memory resident, the virus will infect any .COM
or .EXE file which is executed if the pre-infection file length is
greater than or equal to 2,064 bytes. Infected files increase in
length by 2,064 bytes. .COM files which are infected will have the
virus's code located at the beginning of the .COM file, .EXE files
will have the virus located at the end. Infected files will have
their date and time in the disk directory altered to the system
date and time when infection occurred.
It is unknown when Wolfman activates, or if it is destructive.
Known variant(s) of Wolfman are:
Wolfman 2: This variant is fairly similar to the Wolfman virus.
Its memory resident TSR is 67,984 bytes, and it hooks interrupts
09, 10, 16, 21, CF, D1, D3, and several others. Files
smaller than 5,120 bytes will not be infected by the virus.
Infected .EXE files will contain the text string "WOlf_mAN",
though this string cannot be found in infected .COM programs as
it will be encrypted.
Wolfman.C: Received in January, 1996, this is another minor
variant of the Wolfman virus. Its in memory TSR is 67,952
bytes, hooking interrupts 09, 10, 16, 21, and FB. Once resident,
it infects .COM and .EXE files, but not COMMAND.COM, when they
are executed. Infected files will increase in size by 2,064
bytes. In the case of .COM files, the virus will be located at
the beginning of the file, whereas in .EXE files it is at the
end of the file. The program's date and time in the DOS disk
directory listing will have been updated to the current system
date and time when infection occurred. The following text
string is visible within the viral code:
Origin: Unknown January, 1996.