Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Werewolf

Werewolf.658, Werewolf.678, Werewolf.684, Werewolf.685
All these viruses are non-resident, encrypted, direct action EXE infectors. After attacking all suitable files in the current directory they try to delete files containing records on integrity checking which are generated by some anti-virus program. All these viruses contain text strings:

*.MS *.CPS ANT*.DAT

Other texts are different depending on individual variants.

Werewolf.658 a Werewolf.678: Home Sweap Home (C)1994-95 WereWolf
Werewolf.684: CLAWS (C)1994-95 WereWolf
Werewolf.685: FANGS (C)1994-95 WereWolf

Werewolf.1152, Werewolf.1168, Werewolf.1361, Werewolf.1367, Werewolf.1208, Werewolf.1500
These are resident, encrypted, stealth COM and EXE infectors. In their code they contain simple protections against analysis. They can deactivate the utilities Vsafe, Nohard and Nofloppy as well as the resident parts of the system TBAV. Upon installation they hook the interrupt INT 21h. By means of the interrupt INT 21 they conceal increase in length of the attacked files and infect files as they are being started. When infecting the viruses avoid programs containing strings CLEAN, AVP, TB*, V*, SCAN, NAV, IBM, FINDV*, GUARD, FV*, CHKDSK and F- in their names. A sort of exception is the variant Werewolf.1208: it infects files as they are opened and in case of COM files it writes itself to the beginning of the file while moving the rest of it further on. All other variants infect in the “classical” way. They all contain a destructive code; its activation depends on the date and system timer. This code writes random data on the disk. The variant Werewolf.1500 contains a destructive code which depending on the system timer changes a random byte upon writing through the INT 13h. In the encrypted body of the viruses, with exception of the variant Werewolf.1208, is a text string which is used at searching for the TBAV system controllers.

TBMEMXXXTBCHKXXXTBDSKXXXTBFILXXX

In individual variants of the viruses are various encrypted texts.

Werewolf.1152: SCREAM (C)1996 WereWolf
Werewolf.1168: SCREAM! (C) 1995-96 WereWolf
Werewolf.1208: BEAST (C)1995 WereWolf
Werewolf.1361, Werewolf.1367: FULL MOON (C)1995-96 WereWolf
Werewolf.1500: [WULF] (c) 1995-1996 WereWolf

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.