Details
Win.Twitch

It is a harmless(?) nonmemory resident companion virus. It searches for NewEXE files, renames them with OVL extension and replases original files with the virus code. The virus contains the partly encrypted strings:
BOOT SHELL SYSTEM.INI PATH TEMP OVL \ CHKLIST.CPS *.EXE
NETWARE FILEMAN SCRNSAVE WINPRINT WINDOWS
DeviceSelectedTimeout
LOAD .EXE \SYSTEM SYSEDIT.EXE NWPOPUP.EXE

Details
Win.Tentacle_II

It is not a dangerous nonmemory resident parasitic NewEXE virus 10634 bytes of length. The actual virus length is 10608 bytes, but while infecting a file it writes to the end of the file additional reference tables, so the length of files grows for 10634 bytes while infecting.
In infected file the Entry Point address does not point to the virus code, but to original Entry Point in the host file. The virus does not changes the Entry Point fields in the NewEXE header, but patches the code of the host file and forces it to pass the control to the virus code. This is the main feature of that virus.
When an infected file is executed, the virus takes control and searches for NewEXE (Windows) files in current directory, then in the directories:
C:\WIN\ C:\WINDOWS\ C:\WIN31\ C:\WIN311\ C:\WIN95
then the virus searches for *.SCR files in the current directory. The virus infects only one file in each directory listed above except C:\WINDOWS\, the virus infects there two files, if there are not infected ones.
Before infecting a file the virus checks the file’s header for DOS EXE and Windows NewEXE stamp, sets the MaxMem field in DOS EXE to FFFEh and uses that value as virus ID-stamp, then the virus creates the temporary C:\TENTACLE.$$$ file and uses that file as a result file. After infecting a file the virus deletes the original file and renames the temporary file to the original name. That way is the same as the “Win.Tentacle” virus does.
While infecting the virus modifies the NewEXE header fields, creates new Segment Table that describes new Code Segment and writes its code to the end of the file. The virus does not modifies the entry segment and IP values, so the infected file takes control at the same address as before infection, and the system executes the original instructions, but not the virus code. To receive the control the virus patches the Segment Relocation Records in the file.
At first, the virus scans the Module Reference Table for the strings KERNEL and VBRUN300. If no such strings are found, the virus terminates the infection routine. If any of these strings is found, the virus reads the Segment Relocation Records and looks for the relocation 5Bh (INITTASK) in case of KERNEL, or for the relocation 64h (THUNRTMAIN) in case of VBRUN300. Both relocations points to the address of standard task initialization routine that are called by the very first commands of Windows programs. The virus stores the address of that routine and replaces it with the reference to the virus code. As a result, the infected files starts as before infection, but when it calls the initialization routine, the control is passed to the virus code, but not to original routine. The virus searches and infects the files and then passes the control to the original initialization routine. This way of infection allows the virus to hook the control without modifying the Entry Point addresses.
The virus also creates three new references in infected file. They refer to two standard routines REGSETVALUE and REGQUERYVALUE from SHELL (SHELL.DLL) and to original INITTASK or THUNRTMAIN routine. The first two routines are used in the virus trigger routine, the last one is used to return the control to the host file.
The virus pays special attention to the WINHELP.EXE file. If such file is found, the virus patches it in some way - it replaces the jump-on-condition (74h) instruction with jmp-short (EBh), I see no idea about for what reason.
Starting from 1:00am till 2:00 am the virus calls the trigger routine. That routine creates the C:\TENTACLE.GIF file and writes to there a GIF image of a tentacle. Then the virus gets from the system Registry (Extensions) the string that is executed while viewing a GIF file, and puts there the name of virus’ GIF file - C:\TENTACLE.GIF. For example, the string “wingif %1″ in the system Registry is replaced with “wingif C:\TENTACLE.GIF”. As a result, the system will show the image of tentacle while viewing any GIF file.
While replacing the data in the Registry, the virus uses the system SHELL calls - REGSETVALUE and REGQUERYVALUE.
The virus contains the encrypted text strings:
C:\WINC:\WINDOWSC:\WIN31*.EXE *.SCR
C:\WIN311C:\WIN95\SHELL\OPEN\COMMAND

Details
Win.Tentacle.1958

It is not a dangerous nonmemory resident parasitic virus. It searches for NewEXE-files in current and C:\WINDOWS directories, then writes itself to the end of the file. While infecting the virus creates temporary C:\TENTACLE.$$$ file, then modifies and copies blocks of original file to temporary one, then copies temporary file to original one, and then deletes temporary file.
From 0:0am till 0:15am the virus checks the just infected file for the Resources, and searches for Icon resource. If such Resource is there, the virus overwrites it with another icon which is contained in the virus body.
The virus contains the internal text string:
C:\TENTACLE.$$$ C:\WINDOWS\*.EXE

Details
Win.Pin

This is a very dangerous memory resident parasitic Win16 virus. It infects Win16 NE EXE files (NewExe) and DOS EXE files. It is polymorphic in both Win16 NE and DOS EXE files. While infecting NE files, the virus creates a new section at the end of a file, encrypts and writes its code there, then modifies the necessary NE header fields. While infecting DOS EXE files, the virus writes its code to the end of the file, and modifies the DOS EXE header. The virus infection routine is buggy, and in some cases corrupts NE EXE files.
While infecting a file, the virus also checks the system date and time, and starting from the 16th of any month, depending on the system seconds counter, tries to erase data on the A: drive.
To stay “memory resident,” the virus drops the VxD module that is the main part of its code. This module is dropped to the Windows system directory with the WINP16.386 name, and the virus then registers it in the SYSTEM.INI file in the [386Enh] section to force Windows to load a virus’ VxD module upon each booting. The modified entry in SYSTEM.INI file appears as follows:
[386Enh]
device=winp16.386

When Windows loads this VxD module, the virus memory installation routine takes control. It hooks the INT 21h chain (DOS functions), intercepts file execution and upon any file start, searches for EXE files in the current directory and infects them. The virus checks the file names and does not infect the following files: APV.EXE (mistyped AVP.EXE?), SCAN*.EXE, TBAV*.EXE, DRWE*.EXE, AIDS*.EXE, KRNL*.EXE, WIN3*.EXE, and VICT*.EXE.
The virus’ “resident” mode works under both Win16 and Win9x, so the virus is able to infect not only Win16 system, but Win9x also, and affect NE EXE files in Win9x directories.

Details
Win.Homer family

These are “memory resident” viruses infecting NewEXE (Windows) files. They were written in C++ and have quite big sizes: from 40K to 54K. There are five known virus versions, they were received as “germs” (first generation samples). Only two of them are able to replicate, other cannot replicate themselves because of bugs.
When an infected file is executed, the virus hooks INT 21h and stays in Windows memory as a task. This task is visible (i.e. it has its Window) or hidden (not visible) depending on the virus version. INT 21h is hooked in one of several ways depending on the virus version - real/protect mode DPMI, or Windows API hooking. When a NewEXE file is executed, the virus infects it - writes its code to the end of the file and modifies the file’s NewEXE header.
Several virus versions also hook network services. The virus source code has a text that says that “Homer” is able to upload itself to an ftp server in “incoming” directory - the virus intercepts user’s login to the remote server, waits when login procedure is complete, then creates its copy on C: drive and uploads it to server by using the File Transfer Protocol (FTP). We did no tests with this virus’ ability, but the virus source code seems to have no bugs. Anyway, this is one of the first steps that modern viruses do to affect global nets. Maybe we are looking at the beginning of a new era of global net worms.
The virus source code has the comment:
HOMER virus by Kernel Panik, Italy, april 1997

Details
Win.AEP

These are harmless nonmemory resident parasitic viruses. They search in the current directory for *.EXE and *.DLL files, which are of NewEXE format (Windows EXE files) and infect them. They shift the file body down, write themselves into the middle of the file and correct NewEXE system data blocks. “Win.AEP.b” contains the string:
(C) 1994 American Eagle Publications Inc., All rights reserved.

Details
Willow Family

These are dangerous memory resident parasitic viruses. They hook INT 13h, 20h, 21h and write themselves to the end of EXE-files on accessing to them. In some cases these viruses delete the file instead of infecting it. “Willow.2013″ contains the internal text: “WILLOW come in”.

Details
WilliWonka.1088

It is not a dangerous(?) memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE-files that are executed. The virus searches for the PROTEZ.EXE file in the current directory, and hooks INT 1Ch if such file is found. Then the virus checks the video memory at the address B800:0818, and if there is a digit from 2 till 9, the virus patches the code in the system memory at the address 7000:0041.
The virus contains the encrypted text string:
WilliWonka

Details
Wildy Family

These are relatively harmless memory resident parasitic viruses. They hook INT 21h, and write themselves to the end of COM files that are executed. They use the CGA video buffer as a work data area, and as a result, they halt a PC with a Hercules adapter. While infecting, they corrupt files of small length.
These viruses contain the text string:
WILDY

“Wildy.399,402,421″ display messages in Russian.

Details
WildThing.555

This is a dangerous non memory-resident parasitic encrypted virus. It searches for COM files, and writes itself to their ends. It displays the following message:
Wild Thing ][
On Fridays it displays the message and reboot a computer:
It's Fridayall Enjoy the weekend with
your computer! [YAM '92]
This infector contains the internal text string:
By: Admiral Bailey [YAM]*.com \command.com

Details
WildLicker.3372

It is a harmless memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus contains the text strings:
3all 2… 1… WILD LICKER !!! a PKWARE+NUKE+TRIDENT virus for your fucked
pentium (bug inside)
thanks to [NuKE] N.R.L.G. AZRAEL
thanks to PKWARE
PKLITE Copr. 1992 PKWARE Inc. All Rights ReservedNot enough memory
and thanks to [ MK / TridenT ]
[TPE 1.4]

The virus seems to be a compilation of two different engines with new ideas of hiding in PKLITE-like code. These engines are virus constructor NRLG and polymorphic generator TPE. The virus installation routine is the same that NRLG viruses use in their code, and the virus code in the file is encrypted by using TPE polymorphic loop.
To mask virus in PKLITE-like code is the main feature of that virus. The jump-to-EntryPoint instruction does not present in clear in the infected file, but is processed by original PKLITE 1.15 decompression code that PKLITE puts to the beginning of COM files while compressing them. As a result, the virus code is encrypted by TPE polymorphic engine, and jump to entry point is hidden in PKLITE code and data.
Infection
When this virus is infecting a file, it allocates a block of memory to use it while infecting, hooks INT 24h to prevent standard DOS error message while accessing write-protected disk, gets and saves file attributes and date&time stamp.
To separate the infected and not infected files the virus uses time and date stamp. It makes logical ‘or’ operation with seconds field - OR 0Ah, i.e. sets 3rd and 1st bit in stamp. When separating the files the virus checks these bits in stamp and does not infect file, if these bits are set. Moreover, the virus sets this stamp ever it fails to infect the file. As a result all files that have been accessed by this virus have new value in seconds field, and next time the virus ever does not try to infect the file that has been accessed by virus before.
Then the virus compares the internal file format with EXE stamp MZ (the virus does infect only COM files) and checks file length. If the file length is less than 512 bytes or greater than 50K, the virus terminates infection routine.
If all conditions are correct, the virus moves 512 (200h) bytes from file header to the end of file, then overwrites file header with 1CFh bytes of PKLITE entry code. It then runs TPE polymorphic engine, encrypts itself and writes the result to the end of the file:
0000 +———–+ ——-+ +————+
¦File header¦ ¦ ¦PKLITE entry¦
¦ ¦ ¦ ¦code ¦
¦ ¦ ¦ ¦————¦
¦ ¦ ¦ ¦ ¦
0200 ¦———–¦ -+ ¦ ¦————¦
¦ ¦ ¦ ¦ ¦ ¦
. . . . . . . .
¦ ¦ ¦ ¦ ¦ ¦
FEnd +———–+ ¦ +-> +————¦
¦ ¦Original ¦
¦ ¦file header ¦
¦ ¦ ¦
¦ ¦ ¦
FEnd+0200 +——-> ¦————¦
¦TPE polymorp¦
¦loop ¦
¦————¦
¦Encrypted ¦
¦virus code ¦
¦ ¦
+————+

Execution
When an infected file is executed, the control is passed to PKLITE entry code. That code is 100% PKLITE version 1.15 entry code that is saved by PKLITE to the beginning of compressed COM files. When run, that code decompresses a JMP_Virus routine, copies it to the beginning of the program and passes the control to there, the same as original PKLITE routine does.
In detail, 1CFh bytes that the virus saves to beginning of the file decompress themselves to 200h bytes data that is filled with zero byte and contain the instruction JMP NEAR Virus_Entry (E9h XXXXh) at the top:
Before decompression After decompression
0000 +————+ +————+
¦PKLITE entry¦ ¦JMP Near ¦ —+
¦code ¦ ¦ ¦ ¦
¦————¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦
0200 ¦————¦ ¦————¦ ¦
¦ ¦ ¦ ¦ ¦
. . . . . . . . ¦
¦ ¦ ¦ ¦ ¦
FEnd +————¦ +————¦ ¦
¦Original ¦ ¦Original ¦ ¦
¦file header ¦ ¦file header ¦ ¦
¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦
FEnd+ ¦————¦ ¦————¦ <–+
0200 ¦TPE polymorp¦ ¦TPE polymorp¦
¦loop ¦ ¦loop ¦
¦————¦ ¦————¦
¦Encrypted ¦ ¦Encrypted ¦
¦virus code ¦ ¦virus code ¦
¦ ¦ ¦ ¦
+————+ +————+

If someone tries to decompress any infected file, decompression brings just 200h-bytes file with JMP-out-of-file command at file beginning. By PKLITE’s point of view, the file contains just 200h bytes, and all other data are just like some kind of internal overlay. As a result, decompression corrupts the file and erases the virus code.

Details
WildFire.2222

It’s a dangerous memory resident parasitic virus. It hooks INT 8, 21h and writes itself to the end of .COM- and .EXE-files that are executed. It checks the file name and does not hit the files COMMAND.*, CPAV.*, MSAV.*, VSAFE.*, SCAN.*, NAV.*. Depending on the system date it either delays on every timer interrupt call or erases the disk sectors and reboots computer. It contains the internal text string: “WildFire”.

Details
Wilbur.512.d

This is a benign non memory-resident parasitic virus. It searches for COM files, and writes itself to their ends.
This virus contains the internal encrypted text:
*.COM Berlin, Md’
Japanese Components Detected in Your Computer. Format Underway.
Just Kidding. Wilbur Again.
On December 7th, it hooks INT 09h to disable the keyboard, displays a second string, and reads disk sectors cyclical. The computer is halted.

Details
Wilbur.512.c

This is a benign non memory-resident parasitic virus. It searches for COM files, and writes itself to their ends.
This virus types messages combined from several text strings:
I am not
I am
Akuku.
an Animal.
Wilbur!
a Human Being!
Wilbur sez Hi!

Details
Wilbur.512.b

This is a benign non memory-resident parasitic virus. It searches for COM files, and writes itself to their ends.
On October the 12th, the virus decrypts and types:
Columbus Raped America. Now I Rape your Hard Disk.
NOT!! The procedure is a bit off. Hehe