Madwill.B Virus


 Virus Name:  Madwill.B 
 Aliases: 
 V Status:    New 
 Discovered:  January, 1995 
 Symptoms:    .COM & .EXE growth; DOS CHKDSK file allocation errors; 
              decrease in total system & available free memory; 
              file date/time decade set to "2" 
 Origin:      USSR 
 Eff Length:  2,400 Bytes 
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, Sweep, ViruScan, NAV, 
                    NAVDX, VAlert, ChAV, 
                    AVTK/N, IBMAV/N, Sweep/N, NProt, NShld, NAV/N, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Madwill.B virus was received in January, 1995.  It appears to 
       be from Moscow.  Madwill.B is a memory resident semi-stealth fast 
       infector which infects .COM and .EXE files, but not COMMAND.COM. 
       It is unknown what it does besides replicate. 
 
       When the first Madwill.B infected program is executed, this virus 
       will install itself memory resident at the top of system memory 
       but below the 640K DOS boundary, not moving interrupt 12's return. 
       Total system and available free memory, as indicated by the 
       DOS CHKDSK program, will have decreased by 2,672 bytes.  Interrupts 
       21 and 93 will be hooked by the virus in memory. 
 
       Once the Madwill.B virus is memory resident, it will infect .COM 
       and .EXE files, other than very small ones and COMMAND.COM, when 
       they are executed, opened, or copied.  Infected files will increase 
       in size by 2,400 bytes, though the file length increase will be 
       hidden when the virus is memory resident.  The virus will be located 
       at the end of the file.  The program's date and time in the DOS disk 
       directory listing will be altered so that the decade in the file 
       date is set to "2".  The following text strings are visible within 
       the viral code in all Madwill.B infected programs: 
 
               "This program requires MS-DOS version 3.30 or later." 
               "ðThe Stainless Steel TechRatð, v1.1, 28.05.94, 
                (C) 1993-94 by MadWill Stealth Labs, Moscow, Russia" 
               "WYSINWYG (What you see is NOT what you get)" 
               "Thanks to H. Harrison" 
               "COMMAND.COM .EXE" 
               "Story 1 of 7 : The Stainless Steel TechRat is Born" 
 
       The DOS CHKDSK program will return file allocation errors on all 
       infected files when the Madwill.B virus is memory resident.

Show viruses from discovered during that infect .

Main Page