WZ Virus


 Virus Name:  WZ 
 Aliases:     WZ.495 
 V Status:    New 
 Discovered:  July, 1994 
 Symptoms:    .COM & .EXE growth; message displayed; 
              decrease in total system & available free memory 
 Origin:      Unknown 
 Eff Length:  495 - 499 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, Sweep, VAlert, 
                    NAV, NAVDX, ChAV, 
                    AVTK/N, Sweep/N, NProt, IBMAV/N, NShld, NAV/N, Innoc 
 Removal Instructions:  Delete infected programs 
 
 General Comments: 
       The WZ or WZ.495 virus was received in July, 1994.  Its origin or 
       point of isolation is unknown.  WZ is a memory resident infector of 
       .COM and .EXE programs, including COMMAND.COM. 
 
       When the first WZ infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Total system 
       and available free memory, as indicated by the DOS CHKDSK program, 
       will have decreased by 4,608 bytes.  Interrupt 21 will be hooked by 
       the virus in memory. 
 
       Once the WZ virus is memory resident, it will infect .COM and .EXE 
       programs, including COMMAND.COM, when they are executed.  Infected 
       .COM programs will increase in size by 499 bytes while infected .EXE 
       programs will increase in size by 495 bytes.  In both cases, the virus 
       will be located at the end of the file.  The program's date and time 
       in the DOS disk directory listing will not be altered.  The following 
       text string is encrypted within the viral code: 
 
               "I'm WIZARd 4.0" 
 
       The text may be displayed as a message on the system monitor when an 
       infected program is executed. 
 
       Known variant(s) of WZ are: 
       WZ.436.A: Received in January, 1996, this is a 436 byte variant 
           of the WZ virus described above.  It becomes memory resident in 
           allocated system memory, hooking interrupt 21.  Once resident, 
           it infects .COM and .EXE files, but not COMMAND.COM, when they 
           are executed.  Infected files will have a file length increase 
           of 436 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not be altered.  No text strings are visible within the 
           viral code.  This variant will sometimes alter the shape or 
           position of the cursor on the system display. 
           Origin:  Unknown  January, 1996. 
       WZ.436.B: Received in January, 1996, this variant is similar in 
           behavior to the WZ.436.A variant.  The major distinction is that 
           this variant may corrupt the system hard disk, and contains the 
           following text string: 
           "WZtm" 
           Origin:  Unknown  January, 1996.

Show viruses from discovered during that infect .

Main Page